font-src
Content-Security-Policy Fetch

Overview

font-src controls the origins of web fonts loaded via @font-face and similar. When omitted it inherits from default-src. Fonts are not scripts and carry low execution risk, but restricting their source is a sound hygiene control.

Details

With Google Fonts, the stylesheet (fonts.googleapis.com) belongs in style-src and the actual font files (fonts.gstatic.com) in font-src — opening only one causes fonts to fail loading and produce FOUT/FOIT or broken rendering. Inline base64 fonts require allowing data:.

Fonts can serve as a tracking vector, and font-parser vulnerabilities have historically existed in browser/OS rendering engines, so restricting to trusted hosts is prudent. For most sites, 'self' + a font CDN + (if needed) data: is sufficient.

Syntax

Content-Security-Policy: font-src 'self' https://fonts.gstatic.com data:

Notes

Related directives