Google Fonts blocked by NoScript
Posted: Fri Mar 18, 2016 4:40 am
I'm using Google Fonts to my website like this, it's been working for over a year.
But recently a fallback font appears on Firefox with Noscript. "Forbid @font-face" is unchecked, and it shouldn't matter in the first place since my website is whitelisted.
Here's what I get in Firefox console:
Only found two ways to make it work:
1. Use secure https://fonts.googleapis.com/etc... link to include the fonts, then it works (no idea why)
2. Restart Firefox with NoScript add-on disabled (that's my only clue that it's NoScript doing this)
So, any way to use NoScript as before but allow Google Fonts? I thought maybe I need to add XSS exception, but unchecking XSS protection had no effect...
Code: Select all
<link href='http://fonts.googleapis.com/css?family=Roboto:400,400italic,500|Roboto+Condensed' rel='stylesheet' type='text/css'>Here's what I get in Firefox console:
I tried disabling XSS protection altoghether, but it has no effect. There's no XSS message when the fonts are blocked, either:Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://fonts.gstatic.com/s/roboto/v15/C ... UTuA.woff2. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
downloadable font: download failed (font-family: "Roboto" style:normal weight:normal stretch:normal src index:2): bad URI or cross-site access not allowed source: http://fonts.gstatic.com/s/roboto/v15/C ... UTuA.woff2
Only found two ways to make it work:
1. Use secure https://fonts.googleapis.com/etc... link to include the fonts, then it works (no idea why)
2. Restart Firefox with NoScript add-on disabled (that's my only clue that it's NoScript doing this)
So, any way to use NoScript as before but allow Google Fonts? I thought maybe I need to add XSS exception, but unchecking XSS protection had no effect...