Skip to content

CCM-9916: preload fonts with cross origin directive#742

Merged
harrim91 merged 8 commits intomainfrom
feature/CCM-9916_safari-fonts
Oct 27, 2025
Merged

CCM-9916: preload fonts with cross origin directive#742
harrim91 merged 8 commits intomainfrom
feature/CCM-9916_safari-fonts

Conversation

@harrim91
Copy link
Contributor

@harrim91 harrim91 commented Oct 20, 2025
edited
Loading

Description

  • Self-host nhsuk fonts, which allows them to be loaded by Safari.
  • Removes the upgrade-insecure-requests directive from CSP when running on localhost, which prevents Safari from trying to upgrade http localhost requests to https

Context

When opening notify.nhs.uk in Safari, the site failed to load fonts served from https://assets.nhs.uk.
The browser console showed:

Failed to load resource: Cancelled load to https://assets.nhs.uk/fonts/FrutigerLTW01-55Roman.woff2
because it violates the resource's Cross-Origin-Resource-Policy response header.

The site’s HTML was being served with:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

These headers enable cross-origin isolation. Under this policy, cross-origin assets must either:

  • be fetched with CORS
  • be served with a Cross-Origin-Resource-Policy (CORP) header of cross-origin or same-site.

Font fetches were happening from within a @font-face block in the nhsuk-frontend css. Safari was doing these fetches as no-CORS requests. The assets.nhs.uk server serves these fonts without a CORP header. So Safari was unable to load the fonts.

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@harrim91 harrim91 requested a review from a team as a code owner October 20, 2025 15:02
@harrim91 harrim91 closed this Oct 22, 2025
@harrim91 harrim91 reopened this Oct 22, 2025
alexnuttall
alexnuttall previously approved these changes Oct 24, 2025
View reviewed changes
@harrim91 harrim91 merged commit 30d9536 into main Oct 27, 2025
43 of 44 checks passed
@harrim91 harrim91 deleted the feature/CCM-9916_safari-fonts branch October 27, 2025 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexnuttall alexnuttall alexnuttall approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@harrim91 @alexnuttall