Content Security Policy blocks Google Fonts

CptDayDreamer · January 7, 2024, 4:14am

The error is the following:

Refused to load the font 'https://fonts.gstatic.com/s/mulish/v13/1Ptvg83HX_SGhgqk0gotcqA.woff2' because it violates the following Content Security Policy directive: "font-src 'self' data:".

I see it when I press F12 and view the logs in the browser. It appears 40 times per site.

On the logs page, I cannot see anything because of this.

The security header check says the CSP looks like this:

default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'self' blob: https://api.certificate24.com/ https://www.certificate24.com/ 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: * https://*.tile.openstreetmap.org;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443 https://api.certificate24.com/ https://www.certificate24.com/;media-src 'self' blob:;frame-src 'self' https://www.youtube-nocookie.com;child-src blob: 'self' https://api.certificate24.com/ https://www.certificate24.com/;frame-ancestors 'self';worker-src blob: 'self' https://api.certificate24.com/ https://www.certificate24.com/;form-action 'self'

Nextcloud version (eg, 20.0.5): 28.0.1
Operating system and version (eg, Ubuntu 20.04): unRAID 6.12.6 (Linux 6.1.64-Unraid x86_64)
Apache or nginx version (eg, Apache 2.4.25): nginx newest version I guess
PHP version (eg, 7.4): 8.2.13

Mornsgrans · January 7, 2024, 8:16am

Google fonts are not implemented in Nextcloud, it only uses the native fonts of the server’s operating system.

Since Google fonts do not meet GDPR compliance, they should not be used.

bb77 · January 7, 2024, 8:33am

You can actually use them in a GDPR-compliant way if you host them locally on your server, rather than using Google’s Fonts API.

But you’re right, afaik Nextcloud does not use them. Unless, of course, you are using e.g. Roboto as your system font, as I’m doing.

CptDayDreamer · January 7, 2024, 8:08pm

I have not set them anywhere. Why are they getting loaded then? And I guess the missing logs on the log page have a different reason. The JS module cannot be loaded. I guess I should switch to Nextcloud AIO asap.

CptDayDreamer · January 7, 2024, 8:10pm

But it’s saying Mulish font in the URL. I have no idea where it comes from.

I have multiple errors like this for different plugins:
Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "application/octet-stream". Strict MIME type checking is enforced for module scripts per HTML spec.

bb77 · January 8, 2024, 9:30am

Not sure, I’m not getting those on my instance. Maybe one of the apps you have installed or some external rescource embedded in one of those apps is trying to load it?

CptDayDreamer · January 8, 2024, 1:19pm

Can I see it in the browser logs like in the network? It appears on every page so I’m wondering if that’s really an app causing it.