0

As I am new to cloud hosting and server hosting (decided to take the jump from shared hosting) I can't pinpoint why this is happening.

Long story short I'm trying to get Google Fonts to load and neither Chrome nor Firefox are allowing it so I've begun to look up and understand the headers. I'm using php7.2 and Nginx 1.1.14 and both the default and my custom.conf file (domain file) have no CSPs loaded?

Any ideas how I can track this down?!

Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Averia+Serif+Libre' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

But I don't have any CSP anywhere! So frustrated.

Here's my custom.conf:

server {
        listen 80;
        root /var/www/html/custom;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~* \.(eot|ttf|woff)$ {
                add_header Access-Control-Allow-Origin *;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }
        location ~ /\.ht {
                deny all;
        }
}

And here's my default:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }
        location ~ /\.ht {
                deny all;
        }
}

EDIT: If it helps any I chose the "LEMP" option on Digital Ocean to create a custom setup? I've opened a ticket over there as well but it's been a couple days now.

Cameron A
  • 9
  • 2
  • Did you try the solution given here : https://stackoverflow.com/questions/31211359/refused-to-load-the-script-because-it-violates-the-following-content-security-po ? – Melvyn Marigny May 06 '20 at 22:02
  • @MelvynMarigny So you're saying I should add a CSP to the php files then? I'm working with no CSP anywhere. Server nor PHP files at the moment. – Cameron A May 06 '20 at 22:04
  • Yes. You can read this more related answer : https://stackoverflow.com/questions/33984908/google-fonts-violates-content-security-policy – Melvyn Marigny May 06 '20 at 22:09
  • That is a very bad practice. So if I'm understanding this properly you basically must include CSP now with Nginx. I know that is not the case with Apache so I may just go back to Apache. But thanks for the information. I can just imagine what other new services come about that use two or 3 resources like style-src and font-src and servers all across the world will have to update or immediately break. Yikes man. – Cameron A May 06 '20 at 22:10
  • Like consider that one day google adds in GA software to google fonts or something. That's immediate server break across all CSP websites using those declarations. – Cameron A May 06 '20 at 22:17

0 Answers0