Auto-source fonts.googleapis.com without https://

Created on 3 April 2025, 23 days ago

Problem/Motivation

A client of mine has some issues with the:
fonts.googleapis.com mention in my csp header because this is a url without https://.
I checked my settings and see this is added in the auto-source in the style-src part.

Question

I have some questions about this:
1. What is this auto source based on?
2. Is this indeed a security risk?
3. If needed how can I change this auto-source.

💬 Support request
Status

Active

Version

2.0

Component

Code

Created by

🇳🇱Netherlands zebda

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @zebda
  • 🇳🇱Netherlands zebda
  • 🇨🇦Canada gapple

    1. Auto sources are parsed from your site's *.libraries.yml definitions. The assets for that library are probably included as protocol-relative urls (//fonts.googleapis.com/...). The CSP module only includes the protocol when parsing sources if it is https://.

    2.a: With a protocol-relative URL, if your site is hosted with HTTPS then the browser will also request the asset with HTTPS. Modern browsers also now make requests https-first, only falling back to http if not available even for links to an http destination that are on an http site.

    2.b: assets from fonts.googleapis.com are served with a HTTP Strict Transport Security header, so if a browser has ever made any requests to the domain, it will only use https for any future requests, and block any potential downgrade attempts.

    2.c: From the CSP3 Spec 6.7.2.8. Does url match expression in origin with redirect count?:

    3.2: If expression does not have a scheme-part, and origin’s scheme does not scheme-part match url’s scheme, return "Does Not Match".

    If your site is hosted via HTTPS, the CSP policy implicitly adds https:// to any host sources, and would block any assets requested with a http://... url unless the policy specifically includes the source with a http:// protocol.

    3. You could use hook_library_info_alter() to alter the asset url to include https:, and CSP will use that value.

    I don't think there's much reason to use a protocol-relative url instead of always-https anymore, so you could submit a patch to the original module to update their asset URL to include https:, but I don't think it's a priority.

    Bonus: You can enable the upgrade-insecure-requests directive in your policy to explicitly tell browsers to only use https for any asset requests or navigations (assuming you do not have any that do need to remain http for some reason).

  • 🇳🇱Netherlands zebda

    Wow! Thanks for the great reply!

Production build 0.71.5 2024