MERX CSP and the MERX starter kit

CSP policy is blocking web-fonts on the starter kit.

I have tried with .htaccess .

 Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; font-src 'self' https://bandicoot-merx.local;"

I have tried , With bnomei plugin in config.php

    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', 
        "Content-Security-Policy" => "default-src 'self', font-src * 'self'",

I have tried Header meta tag.

Nothing seems to budge this CSP. Is there something in Kirby or MERX starter KIt?

From where are you loading your fonts?

Bingo… I’ll leave this up. The solution is found here.