Refused to load the font '<URL>' because it violates the following Content Security Policy directive default-src ,so default-src is used as a fallback

Asked 28/5, 2018 at 6:5 Answered 25/9, 2022 at 0:45

javascript angularjs mean

I am creating a web app using the mean stack in angular 6 but I am getting below error message on the browser console.

"Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback."

Code:

 getUsers() {
    return this._http.get("/api/users")
      .pipe(map(result => this.result = result.json().data));
  }

Throwaway answered 28/5, 2018 at 6:5 Comment(1)

Content security policy. not sure how angular has something to do with it. this is a new standard for modern browsers (read the spec) – Sheaff 28/5, 2018 at 6:10

Content security policy is a way for modern browsers, to define a set of restrictions when loading remote resources.

Response headers from the HTTP protocol can set those policies:

Content-Security-Policy header (official), X-Content-Security-Policy (supported by Mozilla Firefox and IE10) and X-WebKit-CSP (supported by Google Chrome and Safari) HTTP response headers with the list of Content Security Policy directives. (from seckit drupal module)

You can set different policies to different types of elements in the DOM (e.g <img>, <script>, <object>, <embed>, <iframe> and so on...), to restrict requests that originates from that element.

So you need to change 'self' to one of the following:

'none' - block content from any source
'self' - allow content only from your domain
'unsafe-inline' - allow specific inline content (note, that it is supported by a subset of directives)
'unsafe-eval' - allow a set of string-to-code API which is restricted by default (supported by script-src directive)

Wildcards (*) are allowed:

* - load content from any source
*.example.com - load content from example.com and all its subdomains
example.com:* - load content from example.com via any port. -
Otherwise, it will use your website default port

Sheaff answered 28/5, 2018 at 6:36 Comment(0)

Adding 'self' and data: to the font-src works for me.

Content-Security-Policy: font-src 'self' data:;

Henrieta answered 5/8, 2019 at 5:26 Comment(1)

Under Response Headers for the page – Henrieta 12/11, 2019 at 10:57

font-src reference doc from MDN

The Content-Security-Policy header is set by your api. Check your api response for its value. As per the error, I think your fonts are loaded from a different domain than your application domain. Unless your api whitelists that domain, your browser will not load the font.

Example:

Content-Security-Policy: font-src https://example.com/

Oxytetracycline answered 28/5, 2018 at 6:18 Comment(0)

-1

just close all browser, clear cache and restart VSC or your code editor. Ir worked fro me.

Indue answered 25/9, 2022 at 0:45 Comment(0)

Recommended topics

Hot tags