Content Security Policy (CSP)
Quick Reference Guide

The CSP font-src Directive Guide

The font-src Content Security Policy (CSP) directive guards the loading of fonts using @font-face.

Example Policy

Assume a Content-Security-Policy header is set with the following policy:

font-src 'self';


With the above CSP policy, fonts can be loaded from the same origin (via the 'self' source list value), or via URLs starting with:

@font-face {
  font-family: 'MyLocalFont';
  src: url('/fonts/font.ttf');
@font-face {
  font-family: 'ExternalFont';
  src: url('');


The above policy will block any font not same origin or via, so the following would be blocked:

@font-face {
  font-family: 'BlockedByCSP';
  src: url('');

Inherits from default-src

If you don't specify a font-src but do specify a default-src CSP directive, then the value of default-src will be used as the policy for font-src. So for example if you had the following policy:

default-src 'none'

When you try to load a font via a CSS @font-face you would get an error like this in the console:

Refused to load the font '<url>' because it violates the following content security policy directive: "default-src 'none'". note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

Browser Support for font-src

CSP Level 1

Supported On:

Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

Not Supported On:

Internet Explorer

The CSP font-src directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).

Internet Explorer 11 and below do not support the font-src directive. This means that IE11 will simply ignore the policy and allow fonts to load from anywhere (as if a policy had not been set at all).

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.