[nginx] Refused to load the font 'data:application/x-font-woff;'Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

问题

Nginx添加CSP响应头设置之后报错：

Refused to load the font ‘data:application/x-font-woff;charset=utf-8;base64,d09G…’ because it violates the following Content Security Policy directive: "default-src ‘self‘". Note that ‘font-src‘ was not explicitly set, so ‘default-src‘ is used as a fallback.

原因

嵌入在js中font-src是data-base64字符串类型，而nginx CSP配置没有相关设置，导致被浏览器阻拦

解决

CSP内容追加对font的配置   font-src ‘self‘ data:;

完整配置

add_header Content-Security-Policy "default-src ‘self‘; img-src ‘self‘ data:; script-src ‘self‘ ‘unsafe-inline‘ ‘unsafe-eval‘; style-src ‘self‘ ‘unsafe-inline‘; connect-src ‘self‘;font-src ‘self‘ data:;";

表示js img js css font 支持同域名地址和行内嵌入

[nginx] Refused to load the font 'data:application/x-font-woff;'Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

原文：https://www.cnblogs.com/minnie-huang/p/14411550.html