6

I have a webpage with http loaded content, and this font page with https:

https://fonts.googleapis.com/css?family=Oswald:300,700,regular&subset=latin-ext

which I have embeded in the first page.

When I am loading the page, it's displaying the error below:

has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space local.

Is there anything I can do about it on Apache ?

Florian Castellane
  • 1,197
  • 2
  • 14
  • 38
Apache newbie
  • 61
  • 1
  • 1
  • 2
  • Could you add a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example)? – jub0bs Nov 23 '21 at 15:29

2 Answers2

15

With CORS-rfc1918, chrome will be mandating public websites accessing private content use HTTPS.

FIX: You can either serve the content behind HTTPS, or else in your browser flags (eg chrome://flags) disable Block insecure private network requests

block-insecure-private-network-requests: With this flag turned on, any requests to a private network resource from an HTTP website will be blocked.

Wesley Cheek
  • 1,058
  • 12
  • 22
3

add header Access-Control-Allow-Private-Network

https://developer.chrome.com/blog/private-network-access-update/

xiaosa
  • 31
  • 1
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 13 '21 at 09:32
  • 2
    That page does not mention Access-Control-Allow-Private-Network. This newer one describes implementation: https://developer.chrome.com/blog/private-network-access-preflight/ – 1owk3y Sep 11 '22 at 05:33