MERX CSP and the MERX starter kit

oyster · May 26, 2023, 6:24am

CSP policy is blocking web-fonts on the starter kit.

I have tried with .htaccess .

 Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; font-src 'self' https://bandicoot-merx.local;"

I have tried , With bnomei plugin in config.php

    'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        "Permissions-Policy" => 'interest-cohort=()', 
        "Content-Security-Policy" => "default-src 'self', font-src * 'self'",
    ],

I have tried Header meta tag.

Nothing seems to budge this CSP. Is there something in Kirby or MERX starter KIt?

pixelijn · May 26, 2023, 6:38am

From where are you loading your fonts?

oyster · May 26, 2023, 6:52am

Bingo… I’ll leave this up. The solution is found here.

Topic		Replies	Views
Merx starter kit installation difficulty plugin	5	237	October 9, 2023
Content Security Policy Kirby 3 panel	3	901	February 7, 2022
Problem with Merx Starterkit Kirby 3 plugin 🧩	1	217	October 22, 2023
Invalid CSRF Token on Hepburn Theme Panel Installation Solved ✅ panel	46	922	April 30, 2020
Can not re-install Kirby after forgot password - invalid CSRF token Solved ✅	3	651	November 8, 2019

MERX CSP and the MERX starter kit

Related Topics