top | item 46748704

(no title)

efortis | 1 month ago

Since this works

  const style = document.createElement('style')
  style.textContent = `* { font-family: Arial }`
  document.head.appendChild(style)

I'd say the `data:` URL of the font is violating the Content-Security-Policy, which should show an error in the Console.

Their CSP has `default-src 'self'` and has no font-src, so font-src is 'self' too (it would need `data:` as well)

discuss

lupire|1 month ago

A custom browser can set its own CSP, right?

bangaladore|1 month ago

CSP is inherently a client-side browser security feature, so yes.