CSP content security policy installed, works well but I get messages refusing to load fonts

Magento 2 Setup
1

Hello @digitalstartup and everybody else,

I did install the CSP module Module you made and got rid of most of the error messages when I inspect with chrome.
However I do have 3 message left (see below). the problem is that they don’t refer to a specific path

What my thoughts are it has to do with WOFF fonts and they are on the magento site itself under /pub/static/...

So I added the URL of the site itself to “font-src” in the csp_whitelist.xml file but that did not work
The site does not have a certificate yet, does it have to do with that the site has not SSL yet?

Did you come across such a thing yet and how did you solve it?
Thanks a lot!
Kees

My installation followed your instructions, Magento version 2.3.5 on ubuntu 18.04, with elastic search Mirasvit and a number of Amasty extensions, all installed with composer.

message 1:
[Report Only] Refused to load the font 'data:application/octet-stream;base64,d09GMgABAAAAABfcAA8AAAAAMbwAABeEAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHEIGVgCEXgggCZZwEQgKuHCzbgE2AiQDTAsoAAQgBYY5B4IGDIEGGwYuFeOYJeA8gFS/u+0i+//6wDaWNnZfEGToJHc0LPIwI0RoR8P8epqi0CiK35oaP2fuDSb2Cs1gQzC/aFyXukTxacCsoz/dre9+Y+NSnLev1hOzwvnuUEp4vnTm+9LKPu2KQ4gVMdsJWyHobtIdUBcg7HPp4qY7/2nN6n0q7upQZxaY5ACpJajJQlT2CI04YeT9n87y/9HIlr2CEbBBYJaRVwdEPh9VQGWqvJTEr0/RbBfANmWR4Wlz/45bwnGrENZxLPLuVk3UMllaGLDQBqOGAlahP5bWMCuGtamzTsDDqvGphNM/77grthK7AfkUuWSWLnVPFAaN/KBtqmyAwOa+SADA/6PulYYxZS...iFS/hs9i9BED6S0YlTDYfpVJwaG28cruIzp3BHKX8Pi9l8A8nVTzJD0FdYoDdGdb5fw7OFqR+slIrZdXliuKSVk3KcRF9YdMmYGb99N4v+s0VhvZWp6n9+Vu0/WJhPZkXol6pOFSqRsuq79clrW2jToKgSxZ4KPlVug0D3j2QsNTFsUMNhuirKRPFL+RWAJqs2ShdCQkpGjjwFir9wOtT9emb8ShfURBeDMgCR23eTQ0FKbYMFVRalbRyZPOHLcDPiOBOOoSdoPY/XoSPeuLHSRZs1FWS089JrjELYjSfwVYjaDFQZX3TTadFJ377z1lK1Fz0Sqv2NxicS9Q336ydRlc9M3ERVNK7pCC1JJ6DNjA0PrlnFMiGZBwBydoGPXHE/BC0o7IP+5SXT3g+cf3pwQM/NkkEqBTJzT0JBOJO8h3IAAa5PsieD8SEYTO73guZw/k9j0RxxP1xzMZ+IPWbdQIzIOdX8BAdMfjpVHkQoEBLwK/R35pHR/H4KmAwA' because it violates the following Content Security Policy directive: "font-src *.gstatic.com *.fontawesome.com *.bootstrapcdn.com  'self' 'unsafe-inline'".

message 2:
[Report Only] Refused to load the font 'data:application/octet-stream;base64,d09GMgABAAAAABfcAA8AAAAAMbwAABeEAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHEIGVgCEXgggCZZwEQgKuHCzbgE2AiQDTAsoAAQgBYY5B4IGDIEGGwYuFeOYJeA8gFS/u+0i+//6wDaWNnZfEGToJHc0LPIwI0RoR8P8epqi0CiK35oaP2fuDSb2Cs1gQzC/aFyXukTxacCsoz/dre9+Y+NSnLev1hOzwvnuUEp4vnTm+9LKPu2KQ4gVMdsJWyHobtIdUBcg7HPp4qY7/2nN6n0q7upQZxaY5ACpJajJQlT2CI04YeT9n87y/9HIlr2CEbBBYJaRVwdEPh9VQGWqvJTEr0/RbBfANmWR4Wlz/45bwnGrENZxLPLuVk3UMllaGLDQBqOGAlahP5bWMCuGtamzTsDDqvGphNM/77grthK7AfkUuWSWLnVPFAaN/KBtqmyAwOa+SADA/6PulYYxZS...iFS/hs9i9BED6S0YlTDYfpVJwaG28cruIzp3BHKX8Pi9l8A8nVTzJD0FdYoDdGdb5fw7OFqR+slIrZdXliuKSVk3KcRF9YdMmYGb99N4v+s0VhvZWp6n9+Vu0/WJhPZkXol6pOFSqRsuq79clrW2jToKgSxZ4KPlVug0D3j2QsNTFsUMNhuirKRPFL+RWAJqs2ShdCQkpGjjwFir9wOtT9emb8ShfURBeDMgCR23eTQ0FKbYMFVRalbRyZPOHLcDPiOBOOoSdoPY/XoSPeuLHSRZs1FWS089JrjELYjSfwVYjaDFQZX3TTadFJ377z1lK1Fz0Sqv2NxicS9Q336ydRlc9M3ERVNK7pCC1JJ6DNjA0PrlnFMiGZBwBydoGPXHE/BC0o7IP+5SXT3g+cf3pwQM/NkkEqBTJzT0JBOJO8h3IAAa5PsieD8SEYTO73guZw/k9j0RxxP1xzMZ+IPWbdQIzIOdX8BAdMfjpVHkQoEBLwK/R35pHR/H4KmAwA' because it violates the following Content Security Policy directive: "font-src *.gstatic.com *.fontawesome.com *.bootstrapcdn.com 'self' 'unsafe-inline'".

Message 3:
[Report Only] Refused to load the font 'data:application/octet-stream;base64,d09GMgABAAAAABfcAA8AAAAAMbwAABeEAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHEIGVgCEXgggCZZwEQgKuHCzbgE2AiQDTAsoAAQgBYY5B4IGDIEGGwYuFeOYJeA8gFS/u+0i+//6wDaWNnZfEGToJHc0LPIwI0RoR8P8epqi0CiK35oaP2fuDSb2Cs1gQzC/aFyXukTxacCsoz/dre9+Y+NSnLev1hOzwvnuUEp4vnTm+9LKPu2KQ4gVMdsJWyHobtIdUBcg7HPp4qY7/2nN6n0q7upQZxaY5ACpJajJQlT2CI04YeT9n87y/9HIlr2CEbBBYJaRVwdEPh9VQGWqvJTEr0/RbBfANmWR4Wlz/45bwnGrENZxLPLuVk3UMllaGLDQBqOGAlahP5bWMCuGtamzTsDDqvGphNM/77grthK7AfkUuWSWLnVPFAaN/KBtqmyAwOa+SADA/6PulYYxZS...iFS/hs9i9BED6S0YlTDYfpVJwaG28cruIzp3BHKX8Pi9l8A8nVTzJD0FdYoDdGdb5fw7OFqR+slIrZdXliuKSVk3KcRF9YdMmYGb99N4v+s0VhvZWp6n9+Vu0/WJhPZkXol6pOFSqRsuq79clrW2jToKgSxZ4KPlVug0D3j2QsNTFsUMNhuirKRPFL+RWAJqs2ShdCQkpGjjwFir9wOtT9emb8ShfURBeDMgCR23eTQ0FKbYMFVRalbRyZPOHLcDPiOBOOoSdoPY/XoSPeuLHSRZs1FWS089JrjELYjSfwVYjaDFQZX3TTadFJ377z1lK1Fz0Sqv2NxicS9Q336ydRlc9M3ERVNK7pCC1JJ6DNjA0PrlnFMiGZBwBydoGPXHE/BC0o7IP+5SXT3g+cf3pwQM/NkkEqBTJzT0JBOJO8h3IAAa5PsieD8SEYTO73guZw/k9j0RxxP1xzMZ+IPWbdQIzIOdX8BAdMfjpVHkQoEBLwK/R35pHR/H4KmAwA' because it violates the following Content Security Policy directive: "font-src *.gstatic.com *.fontawesome.com *.bootstrapcdn.com 'self' 'unsafe-inline'".
2

I thought data:application/octet-stream;base64 was just for images. Anyway, try adding this line:

<value id="self" type="host">data:</value>

It’s just a bit of a guess, as I don’t have a way to test this. I just pieced this together with a bit of Googling.

3

Hello @digitalstartup,

that worked for me,
I did find sites referring to that but I did not know how to implement it, Thanks!

I tried to evaluate the site with CSP Evaluator
It brings some more issues:

image
image1003×571 29.8 KB

image
image845×820 78.2 KB

Did you come accross this as well, and how did you fix it?

4

Glad it worked. I’ve never ran this report before. I’ll check it out sometime and compare the results.

5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.