Auto-source fonts.googleapis.com without https://

1. Auto sources are parsed from your site's *.libraries.yml definitions. The assets for that library are probably included as protocol-relative urls (//fonts.googleapis.com/...). The CSP module only includes the protocol when parsing sources if it is https://.

2.a: With a protocol-relative URL, if your site is hosted with HTTPS then the browser will also request the asset with HTTPS. Modern browsers also now make requests https-first, only falling back to http if not available even for links to an http destination that are on an http site.

2.b: assets from fonts.googleapis.com are served with a HTTP Strict Transport Security header, so if a browser has ever made any requests to the domain, it will only use https for any future requests, and block any potential downgrade attempts.

2.c: From the CSP3 Spec 6.7.2.8. Does url match expression in origin with redirect count?:

3.2: If expression does not have a scheme-part, and origin’s scheme does not scheme-part match url’s scheme, return "Does Not Match".

If your site is hosted via HTTPS, the CSP policy implicitly adds https:// to any host sources, and would block any assets requested with a http://... url unless the policy specifically includes the source with a http:// protocol.

3. You could use hook_library_info_alter() to alter the asset url to include https:, and CSP will use that value.

I don't think there's much reason to use a protocol-relative url instead of always-https anymore, so you could submit a patch to the original module to update their asset URL to include https:, but I don't think it's a priority.

Bonus: You can enable the upgrade-insecure-requests directive in your policy to explicitly tell browsers to only use https for any asset requests or navigations (assuming you do not have any that do need to remain http for some reason).

Wow! Thanks for the great reply!