Code: Select all
<link href='http://fonts.googleapis.com/css?family=Roboto:400,400italic,500|Roboto+Condensed' rel='stylesheet' type='text/css'>
Here's what I get in Firefox console:
I tried disabling XSS protection altoghether, but it has no effect. There's no XSS message when the fonts are blocked, either:Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://fonts.gstatic.com/s/roboto/v15/C ... UTuA.woff2. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
downloadable font: download failed (font-family: "Roboto" style:normal weight:normal stretch:normal src index:2): bad URI or cross-site access not allowed source: http://fonts.gstatic.com/s/roboto/v15/C ... UTuA.woff2
Only found two ways to make it work:
1. Use secure https://fonts.googleapis.com/etc... link to include the fonts, then it works (no idea why)
2. Restart Firefox with NoScript add-on disabled (that's my only clue that it's NoScript doing this)
So, any way to use NoScript as before but allow Google Fonts? I thought maybe I need to add XSS exception, but unchecking XSS protection had no effect...