User Guide Cancel

Content security policy

  1. Adobe Fonts User Guide
  2. Introduction
    1. System and subscription requirements
    2. Browser and OS support
    3. Add fonts on your computer
    4. Add fonts to your website
    5. Add fonts on CC Mobile
  3. Font licensing
    1. Font licensing
    2. Manage your account
    3. Licensing for Creative Cloud for enterprise customers
    4. Adding font licenses to your account
    5. Removing fonts from the subscription library
    6. Adobe Fonts not available to Adobe IDs registered in China
    7. Why aren't these fonts included in my Creative Cloud subscription?
    8. Morisawa font removal September 2021
  4. Getting and using fonts
    1. Using Adobe Fonts in Creative Cloud apps
    2. Manage your fonts
    3. Resolve missing fonts in desktop applications
    4. Using fonts in InDesign
    5. Fonts and typography
    6. Using web fonts in HTML5 Canvas documents
    7. Using fonts in InCopy
    8. Using web fonts in Muse
    9. Packaging font files
    10. Troubleshooting guide: Adding fonts
    11. Added fonts aren't showing to font menu
    12. "Unable to add one or more fonts" or "A font with the same name is already installed"
    13. What happens when a font I'm using is updated by the foundry?
  5. Web design and development
    1. Add fonts to your website
    2. Troubleshooting guide: Adding fonts to a website
    3. Using web fonts in HTML email or newsletters
    4. Using web fonts with Accelerated Mobile Pages (AMP)
    5. CSS selectors
    6. Customize web font performance with font-display settings
    7. Embed codes
    8. Dynamic subsetting & web font serving
    9. Font events
    10. Why are my web fonts from use.typekit.net?
    11. Site can't connect to use.typekit.net
    12. Using web fonts with CodePen
    13. Browser and OS support
    14. Domains
    15. Using web fonts when developing locally
    16. Content security policy
    17. Printing web fonts
  6. Language support and OpenType features
    1. Language support and subsetting
    2. Using OpenType features
    3. Syntax for OpenType features in CSS
  7. Font technology
    1. OpenType-SVG color fonts
    2. Ten Mincho: important points on updating from Version 1.000

The Content Security Policy (CSP) is a means for restricting which scripts and resources are allowed on your website. You could, for example, use CSP to stop external scripts from being executed on your website.

CSPs are not recommended for use with Adobe Fonts

While it is possible to use a CSP with web fonts from Adobe on the same page, we do not recommend it.  The CSP policy does not allow you to set an exception for inline styles added by a script from a specific domain. If you specify an unsafe-inline exception for styles, it will apply to all styles from all domains.

Adobe Fonts uses inline styles and fonts as data URIs to provide our service, and making exceptions for these negates a lot of the protection provided by a CSP. 

Using a CSP

If you do wish to use a CSP, follow these instructions to properly set your security directives. Take care, as failure to properly follow all of these instructions could result in an inadvertent violation of the Terms of Use for the web font service.

  1. The first directive is to allow scripts to load from our CDN, use.typekit.net:

    script-src 'self' use.typekit.net;
  2. Next, you need to allow stylesheets from use.typekit.net and specify unsafe-inline to allow scripts from all domains (including use.typekit.net) to use inline styles. This is required for font events to work.

    style-src 'self' 'unsafe-inline' use.typekit.net;
  3. The final requirement is an exception for images from p.typekit.net. Font loading uses a tracking image from this domain to calculate font usage and pay foundries appropriately for the use of their fonts.

    img-src 'self' p.typekit.net;
  4. Optionally, you can add an exception for our performance metrics. Performance metrics are sent at random intervals and are used to monitor the performance of our font network.

    connect-src performance.typekit.net

You should combine these directives into a single policy and set the Content-Security-Policy header on all your HTTP(S) responses. To support older versions of Chrome, Firefox, and Safari, you’ll also need to include the X-Content-Security-Policy and X-WebKit-CSP headers. For more information, please refer to the W3C CSP specification.

Get help faster and easier

New user?