font-srcfont-src controls the origins of web fonts loaded via @font-face and similar. When omitted it inherits from default-src. Fonts are not scripts and carry low execution risk, but restricting their source is a sound hygiene control.
With Google Fonts, the stylesheet (fonts.googleapis.com) belongs in style-src and the actual font files (fonts.gstatic.com) in font-src — opening only one causes fonts to fail loading and produce FOUT/FOIT or broken rendering. Inline base64 fonts require allowing data:.
Fonts can serve as a tracking vector, and font-parser vulnerabilities have historically existed in browser/OS rendering engines, so restricting to trusted hosts is prudent. For most sites, 'self' + a font CDN + (if needed) data: is sufficient.
Content-Security-Policy: font-src 'self' https://fonts.gstatic.com data: