joomla.org - Refused to load ... because it violates the CSP

[anibalsanchez]

There is a console CSP error on the main site.

Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' <URL> <URL>".

A font is not being loaded.

[mbabker]

Please provide specific page(s). I'm not seeing any CSP related errors.

[PhilETaylor]

[mbabker]

[mbabker]

Either way @zero-24 sees these CSP violation reports so maybe has something actionable to work with because I clearly don't.

[mbabker]

Also, AFAIR we don't serve any fonts in WOFF2 format (except maybe the Google Font resources), so I have no idea what's trying to inject those fonts and causing the CSP violation in the first place.

[PhilETaylor]

https://www.youtube-nocookie.com/embed/lcmz8VgDixA?rel=0&controls=0&showinfo=0

That brings in all kinds of crap...

https://gist.github.com/PhilETaylor/0ac7fab73ff3ba042fcaec0bebdbf0fc

[mbabker]

Well, if I'm guessing right, the issue is in their CSS for the Roboto font...

[...]src:local('Roboto Medium Italic'),local('Roboto-MediumItalic'),url(//fonts.gstatic.com/s/roboto/v18/KFOjCnqEu92Fr1Mu51S7ACc5CsTYl4BOQ3o.woff2)format('woff2')[...]

fonts.gstatic.com is a whitelisted domain in our CSP rules already. The errors you've posted are all data URIs. I'm assuming this means it's trying to use Roboto fonts installed on your local PC and that is triggering the CSP error (I don't have Roboto fonts locally and I guess this is why I don't have the reports).

[PhilETaylor]

the solution would be to change from

font-src 'self' https://fonts.gstatic.com https://*.joomla.org;

to

font-src 'self' data: https://fonts.gstatic.com https://*.joomla.org;

but not sure if you would want to :) especially if the fonts are never really being used and only imported by some third party plugin website that just displays a youtube video without setting a cookie...

if only we did not have to invent ways to break the internet... like, not setting cookies...

[brianteeman]

YouTube can be embedded without cookies so no need for anything else to handle that.

[mbabker]

The youtube-nocookie.com domain is already used as well. So it's nothing to do with getting around cookie usage.

[PhilETaylor]

You misunderstand. The youtube-nocookie.com domain is loading css, that then refers to fonts using data: urls - its not using urls on their domain, its using data: prefixed base64 strings

The policy specifically states (by omission) that the page should not load/trust urls from the data: protocol

Joomla.org's policy specifically doesnt allow data: urls to be used for fonts. This will cause the issue.

Either Joomla.org policy needs to allow data: urls or except that there are errors or remove the plugin that uses code from youtube-nocookie.com

[mbabker]

It's not a plugin. We're just using an iframe to include the videos using the youtube-nocookie.com domain (really, look at the HTML source and try to find any of that garbage HTML plugins and modules add 😉). Blindly allowing all data: URIs for fonts isn't an acceptable solution, might as well just turn off the CSPs at that point, and taking videos off the homepage (or for that matter the entire domain) I suggest isn't an option we're going to put on the table either.

[PhilETaylor]

Then I suggest you stop using the iframe which is loading loads of html/js/css and not just html needed to display a video...

That would solve the issue.

[mbabker]

If you know of a non-iframe based way to embed YouTube videos, I'm all eyes.

[PhilETaylor]

Sorry let me rephrase.

Stop using the iframe from youtube-nocookie.com and use the official iframe solution from youtube which, according to @brianteeman allows you to not set cookies (although I cannot find a link for you in my quick searching)

[mbabker]

youtube-nocookie.com is the no cookie option. The other choice is to iframe youtube.com which includes their cookies.

[PhilETaylor]

oh I thought youtube-nocookie was a non-official project. oh well.

Then you are screwed. :)

[brianteeman]

If you know of a non-iframe based way to embed YouTube videos, I'm all eyes.

oembed?

[PhilETaylor]

oembed just gives you a json with the same iframe html in it, which ultimately still loads the fonts...

{
height: 344,
width: 459,
title: "dragons. geese. Michael Vick. (ft. T-Pain) // Auto-Tune the News #8",
thumbnail_width: 480,
thumbnail_height: 360,
html: "<iframe width="459" height="344" src="https://www.youtube.com/embed/bDOYN-6gdRE?feature=oembed" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>",
provider_name: "YouTube",
version: "1.0",
author_url: "https://www.youtube.com/user/schmoyoho",
author_name: "schmoyoho",
thumbnail_url: "https://i.ytimg.com/vi/bDOYN-6gdRE/hqdefault.jpg",
provider_url: "https://www.youtube.com/",
type: "video"
}

[zero-24]

Well I would be happy to help here but please tell me how you get the errors I can also not reproduce it? All looks clear to me in the browser console? Nothing in chrome and nothing in Firefox too.

A font is not being loaded.

Does this have any affect on your end as i would expect the online fonts being loaded in that case? Can you please confirm or negate that you have the font installed locally and whether this can be fixed by temporary uninstalling them?

[anibalsanchez]

• Firefox 64.0 (64-bit) OK
• Chromium Version 71.0.3578.98 (Official Build) Built on Ubuntu , running on Ubuntu 18.10 (64-bit) OK
• Chrome Version 71.0.3578.98 (Official Build) (64-bit) still shows the 22 errors on each page load here. ERROR

Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAGVUABEAAAAAxuQAAQABAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAAC4AAAA0ArgC7UdQT1MAAAGwAAAQ6AAALgxKsqRTR1NVQgAAEpgAAAH3AAAELqI5y+RPUy8yAAAUkAAAAE8AAABgaGyBu2NtYXAAABTgAAABlAAAAkQkRATXY3Z0IAAAFnQAAABeAAAAugDsQf1mcGdtAAAW1AAABZcAAAvNb3/BHGdhc3AAABxsAAAACAAAAAgAAAAQZ2x5ZgAAHHQAAEApAAB3CtbiupxoZWFkAABcoAAAADYAAAA2BkubWWhoZWEAAFzYAAAAIAAAACQHFARfaG10eAAAXPgAAAI6AAAEEk4TN4Nsb2NhAABfNAAAAhIAAAISiLhpam1heHAAAGFIAAAAIAAAACACigzgbmFtZQAAYWgAAACUAAABHhQGLdJwb3N0AABh/AAAAq4AAASRk5y6n3ByZ...QxUajCCFt4p9HP4fzdSWs2XhWl5HvJazrIrFUyB0l5dpqcW10lV2wukjMLuAvyMHNiYpgPsrCVXZDKrkpll6UWkh7kABVAFVCDe7UFmxagDegA+hLHRPbqtMo7ZHCpKdT6tPGXybzo0+RXBLoPZt1tELcXxCmAAyZwYTJvdDFZKnDER44X2451rDqCyunIsRWvLSx6wnWqwPj/uX5/KuEy6DL0z6A/Fn79VihxMFJsrlAFy4DpZOcvNlMeNp+BRDLj0r+XFdRxdSNSNxiI/AL3ojKdAAB4AWPw3sFwIihiIyNjX+QGxp0cDBwMyQUbGdictkUwWDAwsDJogTgOPN4c9iz6bMos4iysHFChUDZXJnMWTSZZJrAQt9M+YQYBBh4GTgY2kEZOoJiA0z4GBxiEiDEzuGxUYewIjNjg0BGxkTnFZaMaiLeLo4GBkcWhIzkkAqQkEggceHw5HFkM2VRZJFlYebR2MP5v3cDSu5GJwWUDW9xG1hQXAFAmKZU=' because it violates the following Content Security Policy directive: "font-src 'self' https://fonts.gstatic.com https://*.joomla.org".

So, the issue seems to be related to Chrome.

[mbabker]

Err, no it's not. I use Chrome, I don't have CSP issues (as shown in my screenshot). Maybe Google is doing something at their end to change the font stack in their YouTube embeds for different browsers, you'd have to inspect the HTML of the iframe to validate this though.

[conconnl]

Closed - Old issue, CSP has been changed on different factors since then. A reporting system is running to provide use the feedback of any CSP conflict. If issue arise we will be noticed.