feat: fonts csp #12103
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -265,6 +265,51 @@ export default defineConfig({ | |||||
| }); | ||||||
| ``` | ||||||
|
|
||||||
| ### `fontDirectiveResources` | ||||||
|
|
||||||
| <p> | ||||||
|
|
||||||
| **Type:** `string[]`<br /> | ||||||
| **Default:** `[]`<br /> | ||||||
| <Since v="5.12.7" /> | ||||||
|
There was a problem hiding this comment. Just checking whether this is releasing with the minor, or if before, then update this right before the patch release when known!
Suggested change
|
||||||
| </p> | ||||||
|
|
||||||
| A list of valid sources for the `font-src` directive. | ||||||
|
|
||||||
| The `font-src` directive is handled by Astro by default, and uses the `'self'` resource. This means that fonts can only be downloaded by the current host (usually the current website). | ||||||
|
|
||||||
| To override the default source, you can provide a list of resources instead. This will not include `'self'` by default, and must be included in this list if you wish to keep it. These resources are added to all pages. | ||||||
|
|
||||||
| ```js title="astro.config.mjs" | ||||||
| import { defineConfig } from 'astro/config'; | ||||||
|
|
||||||
| export default defineConfig({ | ||||||
| experimental: { | ||||||
| csp: { | ||||||
| fontDirectiveResources: [ | ||||||
| "'self'", | ||||||
| "https://fonts.cdn.example.com" | ||||||
| ] | ||||||
| } | ||||||
| } | ||||||
| }); | ||||||
| ``` | ||||||
|
|
||||||
| After the build, the `<meta>` element will instead apply your sources to the `font-src` directive: | ||||||
florian-lefebvre marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| ```html | ||||||
| <head> | ||||||
| <meta | ||||||
| http-equiv="content-security-policy" | ||||||
| content=" | ||||||
| font-src 'self' https://fonts.cdn.example.com; | ||||||
| " | ||||||
| > | ||||||
| </head> | ||||||
| ``` | ||||||
|
|
||||||
| When using [the experimental Fonts API](/en/reference/experimental-flags/fonts/), font resources will be injected by Astro (based on [`build.assetsPrefix`](/en/reference/configuration-reference/#buildassetsprefix)) as well as style [hashes](#hashes). | ||||||
|
There was a problem hiding this comment. Just checking that this doesn't require experimental fonts to also be configured? When you say "when using the experimental fonts API" that means that all of the above is just generally true, even if not using. But now here, we are additionally specifying something that is true only when using experimental fonts, right? There was a problem hiding this comment. Maybe this is not the right place for this info? But yeah basically there are 2 things:
There was a problem hiding this comment. re: "font resources will be injected by Astro based on..." Would it be correct to say something like below, that I think is a bit more explicit?
Suggested change
And then this prompts the question... what if I'm not using experimental fonts?? Do I have to do anything special? Will this "just work" as expected, or do I need to set something manually because I'm not using experimental fonts? Do we need an "Otherwise, you will need to...." follow up statement if someone has Also just checking where it says in
Do these now need to be extended to include fonts? Is there an analogous font line for this example? Are fonts simply an extension of styles and use their hashes, or are there separate font hashes? (And noting that if this is only true when using experimental fonts, then, is there anything anyone needs to know in this section if they are NOT using experimental fonts?) There was a problem hiding this comment.
To recap:
So I'd say no.
I don't think so? Fonts only have directives, not hashes There was a problem hiding this comment. OK, but if Astro works differently when I am or am not using experimental fonts, and I probably want one particular outcome, then... how do I get that same desired result in both cases if Astro is working differently in each case? I'm not sure how they can work differently and yet "it's all good" in either case? Like, is taking those things into consideration "good" or "bad"? (Is it more like "I probably want it consistent with how I have other things set up, and yay, using experimental fonts it's done for me so I don't have to do X, Y and Z manually when I'm not using experimental fonts!" or is this "Be careful! If you use experimental fonts, this will happen, unlike when you're not. You might have to undo it manually!") There was a problem hiding this comment. Ah I think I see what you mean now. Basically, experimental fonts are dealing with font directives and style hashes, because the way it works is it injects an inline script. Now if you're not using experimental fonts, you may be just setting So I guess the main difference is this:
Does that help? |
||||||
|
|
||||||
| ## Runtime APIs | ||||||
|
|
||||||
| You can customize the `<meta>` element per page via runtime APIs available from the `Astro` global inside `.astro` components, or the `APIContext` type in endpoints and middleware. | ||||||
|
|
@@ -411,3 +456,30 @@ After the build, the `<meta>` element for this individual page will add your has | |||||
| " | ||||||
| > | ||||||
| ``` | ||||||
|
|
||||||
| ### `insertFontResource` | ||||||
|
There was a problem hiding this comment. Does this require experimental Fonts API, or work differently with or without it? There was a problem hiding this comment. It works without experimental fonts, and works the same with or without |
||||||
|
|
||||||
| <p> | ||||||
|
|
||||||
| **Type:** `(resource: string) => void`<br /> | ||||||
| <Since v="5.12.7" /> | ||||||
|
There was a problem hiding this comment. same note re: version, whatever it happens to be! |
||||||
| </p> | ||||||
|
|
||||||
| Inserts a new resource to be used for the `font-src` directive. | ||||||
|
|
||||||
| ```astro | ||||||
| --- | ||||||
| Astro.insertFontResource("https://fonts.cdn.example.com"); | ||||||
| --- | ||||||
| ``` | ||||||
|
|
||||||
| After the build, the `<meta>` element for this individual page will add your source to the default `style-src` directive: | ||||||
florian-lefebvre marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| ```html | ||||||
| <meta | ||||||
| http-equiv="content-security-policy" | ||||||
| content=" | ||||||
| font-src https://fonts.cdn.example.com; | ||||||
|
There was a problem hiding this comment. Is this the same situation where doing this overrides and removes There was a problem hiding this comment. In this case, it's merged with the config so we could show There was a problem hiding this comment. OK, so if this merges that's probably easier to document! We would just make sure that we describe it as "additive" |
||||||
| " | ||||||
| > | ||||||
| ``` | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't we run into a similar tricky situation documenting something not too long ago where adding any value overrides (and removes) the default that needs to be added back in? 😅 What was that and how did we handle that?
I think what feels off here is that if you do nothing, by default you get the same result as if you added this property with
'self', right? So it's kind of like the default value is'self'and not nothing?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed! FYI I just copied the other properties so they would also need to be updated