Modifying default-src in Content-Security-Policy


I have a Custom UI component that uses a third-party script to render mathematical formulas. This script needs to download (many) fonts from the domain that the script itself is also coming from. However, the requests to this domain are getting blocked due to the CSP ‘default-src’. The ‘default-src’ value my browser gets from Atlassian is ‘self’.

I have checked the following pages, but couldn’t see any field that controls ‘default-src’. Is there any way to modify this CSP directive?

Bumping for visibility.

Thanks for bringing this up @CemGndodu .

At this stage, we won’t be adding default-src, but I’ve added a ticket in our internal backlog to allow you to specify font-src which will take precedence over the default-src rule which should support your use case.

1 Like

Support for specifying the font-src CSP directive has recently been added, see Fonts for details.

1 Like

I have a similar problem, but my fonts are not hosted on a url, it is encoded as base64 within the Css file. Can you help I’m getting the following error.

Content Security Policy: The page’s settings blocked the loading of a resource at data:application/x-font-ttf;charset=utf-… (“font-src”).

I have the same problem did you ever find a fix for this?

Unfortunately not.

In my case I managed to solve it by importing TTF/Woff format fonts referenced in a different CSS file (that doesn’t base64 encode) within the npm package I’m using. So perhaps you could convert your base64 fonts into that format.