From d0cd25b93e58b3f2a26f7d030d156ccf6a0ddbdc Mon Sep 17 00:00:00 2001
From: Florian Lefebvre <contact@florian-lefebvre.dev>
Date: Thu, 31 Jul 2025 16:42:46 +0200
Subject: [PATCH 1/5] feat: fonts csp

---
 .../en/reference/experimental-flags/csp.mdx   | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/src/content/docs/en/reference/experimental-flags/csp.mdx b/src/content/docs/en/reference/experimental-flags/csp.mdx
index 51ab5a43eb0ba..ad1e06a1074b8 100644
--- a/src/content/docs/en/reference/experimental-flags/csp.mdx
+++ b/src/content/docs/en/reference/experimental-flags/csp.mdx
@@ -265,6 +265,51 @@ export default defineConfig({
 });
 ```
 
+### `fontDirectiveResources`
+
+<p>
+
+**Type:** `string[]`<br />
+**Default:** `[]`<br />
+<Since v="5.12.7" />
+</p>
+
+A list of valid sources for the `font-src` directive.
+
+The `font-src` directive is handled by Astro by default, and uses the `'self'` resource. This means that fonts can only be downloaded by the current host (usually the current website).
+
+To override the default source, you can provide a list of resources instead. This will not include `'self'` by default, and must be included in this list if you wish to keep it. These resources are added to all pages.
+
+```js title="astro.config.mjs"
+import { defineConfig } from 'astro/config';
+
+export default defineConfig({
+  experimental: {
+    csp: {
+      fontDirectiveResources: [
+        "'self'",
+        "https://fonts.cdn.example.com"
+      ]
+    }
+  }
+});
+```
+
+After the build, the `<meta>` element will instead apply your sources to the `font-src` directive:
+
+```html
+<head>
+  <meta
+    http-equiv="content-security-policy" 
+    content="
+      font-src 'self' https://fonts.cdn.example.com;
+    "
+  >
+</head>
+```
+
+When using [the experimental Fonts API](/en/reference/experimental-flags/fonts/), font resources will be injected by Astro (based on [`build.assetsPrefix`](/en/reference/configuration-reference/#buildassetsprefix)) as well as style [hashes](#hashes).
+
 ## Runtime APIs
 
 You can customize the `<meta>` element per page via runtime APIs available from the `Astro` global inside `.astro` components, or the `APIContext` type in endpoints and middleware.
@@ -411,3 +456,30 @@ After the build, the `<meta>` element for this individual page will add your has
   "
 >
 ```
+
+### `insertFontResource`
+
+<p>
+
+**Type:** `(resource: string) => void`<br />
+<Since v="5.12.7" />
+</p>
+
+Inserts a new resource to be used for the `font-src` directive.
+
+```astro
+---
+Astro.insertFontResource("https://fonts.cdn.example.com");
+---
+```
+
+After the build, the `<meta>` element for this individual page will add your source to the default `style-src` directive:
+
+```html
+<meta
+  http-equiv="content-security-policy"
+  content="
+    font-src https://fonts.cdn.example.com;
+  "
+>
+```

From ff7a8a29592c7ff2a02f7672b9181d6255618dab Mon Sep 17 00:00:00 2001
From: Florian Lefebvre <contact@florian-lefebvre.dev>
Date: Wed, 13 Aug 2025 10:23:36 +0200
Subject: [PATCH 2/5] feat: feedback

---
 src/content/docs/en/reference/experimental-flags/csp.mdx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/en/reference/experimental-flags/csp.mdx b/src/content/docs/en/reference/experimental-flags/csp.mdx
index ad1e06a1074b8..a4608028f3811 100644
--- a/src/content/docs/en/reference/experimental-flags/csp.mdx
+++ b/src/content/docs/en/reference/experimental-flags/csp.mdx
@@ -142,7 +142,7 @@ These properties are added to all pages and **completely override Astro's defaul
 <p>
 
 **Type:** `string[]`<br />
-**Default:** `[]`<br />
+**Default:** `["'self'"]`<br />
 <Since v="5.9.0" />
 </p>
 
@@ -270,7 +270,7 @@ export default defineConfig({
 <p>
 
 **Type:** `string[]`<br />
-**Default:** `[]`<br />
+**Default:** `["'self'"]`<br />
 <Since v="5.12.7" />
 </p>
 
@@ -479,7 +479,7 @@ After the build, the `<meta>` element for this individual page will add your sou
 <meta
   http-equiv="content-security-policy"
   content="
-    font-src https://fonts.cdn.example.com;
+    font-src 'self' https://fonts.cdn.example.com;
   "
 >
 ```

From 092752e76bc29f96439673c574b480248e362591 Mon Sep 17 00:00:00 2001
From: Florian Lefebvre <contact@florian-lefebvre.dev>
Date: Tue, 26 Aug 2025 18:01:14 +0200
Subject: [PATCH 3/5] Update
 src/content/docs/en/reference/experimental-flags/csp.mdx

Co-authored-by: Sarah Rainsberger <5098874+sarah11918@users.noreply.github.com>
---
 src/content/docs/en/reference/experimental-flags/csp.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/en/reference/experimental-flags/csp.mdx b/src/content/docs/en/reference/experimental-flags/csp.mdx
index a4608028f3811..9479bd32663f2 100644
--- a/src/content/docs/en/reference/experimental-flags/csp.mdx
+++ b/src/content/docs/en/reference/experimental-flags/csp.mdx
@@ -295,7 +295,7 @@ export default defineConfig({
 });
 ```
 
-After the build, the `<meta>` element will instead apply your sources to the `font-src` directive:
+After the build, the `<meta>` element will apply your sources to the `font-src` directive:
 
 ```html
 <head>

From dada31b49a5a481d68c7d154c504d5cfce474c74 Mon Sep 17 00:00:00 2001
From: Florian Lefebvre <contact@florian-lefebvre.dev>
Date: Tue, 26 Aug 2025 18:06:22 +0200
Subject: [PATCH 4/5] Update
 src/content/docs/en/reference/experimental-flags/csp.mdx

---
 src/content/docs/en/reference/experimental-flags/csp.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/en/reference/experimental-flags/csp.mdx b/src/content/docs/en/reference/experimental-flags/csp.mdx
index 9479bd32663f2..b9f0f9792b69f 100644
--- a/src/content/docs/en/reference/experimental-flags/csp.mdx
+++ b/src/content/docs/en/reference/experimental-flags/csp.mdx
@@ -473,7 +473,7 @@ Astro.insertFontResource("https://fonts.cdn.example.com");
 ---
 ```
 
-After the build, the `<meta>` element for this individual page will add your source to the default `style-src` directive:
+After the build, the `<meta>` element for this individual page will add your source to the default `font-src` directive:
 
 ```html
 <meta

From 02ab0d0dc66de8187838fd8ad56a336664e99235 Mon Sep 17 00:00:00 2001
From: Florian Lefebvre <contact@florian-lefebvre.dev>
Date: Tue, 26 Aug 2025 19:08:14 +0200
Subject: [PATCH 5/5] Update
 src/content/docs/en/reference/experimental-flags/csp.mdx

---
 src/content/docs/en/reference/experimental-flags/csp.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/en/reference/experimental-flags/csp.mdx b/src/content/docs/en/reference/experimental-flags/csp.mdx
index b9f0f9792b69f..940a9fbf19118 100644
--- a/src/content/docs/en/reference/experimental-flags/csp.mdx
+++ b/src/content/docs/en/reference/experimental-flags/csp.mdx
@@ -270,7 +270,7 @@ export default defineConfig({
 <p>
 
 **Type:** `string[]`<br />
-**Default:** `["'self'"]`<br />
+**Default:** `[]`<br />
 <Since v="5.12.7" />
 </p>