Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelist Typography.com fonts #3749

Closed
arajay opened this issue Jun 23, 2016 · 12 comments
Closed

Whitelist Typography.com fonts #3749

arajay opened this issue Jun 23, 2016 · 12 comments
Assignees
@Gregable
Labels
Type: Feature Request
Milestone
Backlog Bugs

Comments

@arajay
Copy link

arajay commented Jun 23, 2016
edited

Typography.com is a custom font provider. Their basic licensing agreement prohibits the download of their custom fonts; the only option for font embedding (without paying a hefty licensing fee) is to link to their cloud hosted stylesheet.

Example:
<link rel="stylesheet" type="text/css" href="//cloud.typography.com/6256354/724768/css/fonts.css">

This is a request to whitelist Typography.com CDN for serving fonts to AMP clients.

Is this possible? Or would it require each individual stylesheet URL to be whitelisted in the AMP CSP, as indicated by the response to this request?
@ericlindley-g ericlindley-g added this to the Backlog milestone Jun 29, 2016
@cramforce
Copy link
Member

Absolutely possible. Steps:

  • whitelist in validator
  • update CSP

@arajay Are you with typography.com?

@arajay
Copy link
Author

arajay commented Jul 6, 2016

I do not work for typography.com but many of my clients use their CDN hosted fonts; in the meantime I have been using alternate web-safe fonts for my AMP pages instead.

@Gregable
Copy link
Member

Gregable commented Jul 6, 2016

Do you know what the range of possible URLs here would be?
Would https://cloud\.typography\.com/[0-9]*/[0-9]*/css/fonts.css work?

@arajay
Copy link
Author

arajay commented Jul 6, 2016

Affirmative @Gregable ; the stylesheet links for all my clients are formatted in that manner.

@cramforce
Copy link
Member

@arajay Could you try to get somebody from typography.com to comment here. Many font providers do referrer checking which may require additional work for AMP.

@arajay
Copy link
Author

arajay commented Jul 7, 2016

"Sarah," a representative from Typography.com replied to my request with: "We do not allow for the white listing of domains."

@cramforce
Copy link
Member

I'm not sure what that means :)

So, lets go ahead here.

@Gregable I think just going for the prefix https://cloud.typography.com/is fine.

@Gregable Gregable mentioned this issue Jul 19, 2016
Merged
Gregable added a commit that referenced this issue Jul 20, 2016
@Gregable
Validator Roll-up (#4132)
0bab8e9 
* Allow skype as a protocol for anchor tag's href. #4094
* Whitelist typography.com fonts #3749
@Gregable
Copy link
Member

Closing, but will be a little while longer before it's released.

@cramforce cramforce reopened this Jul 20, 2016
@cramforce
Copy link
Member

I assume we still need to make the CSP change, right?

Sending you a CL.

@cramforce
Copy link
Member

New CSP

content-security-policy:default-src * data:; script-src https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/; object-src 'none'; style-src 'unsafe-inline' https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com; report-uri https://csp-collector.appspot.com/csp/amp

@Gregable
Copy link
Member

This is now live everywhere.

@powdercloud powdercloud mentioned this issue Aug 20, 2016
Closed
ariangibson pushed a commit to Mixpo/amphtml that referenced this issue Sep 7, 2016
@Gregable @ariangibson
Validator Roll-up (ampproject#4132)
84f94b7 
* Allow skype as a protocol for anchor tag's href. ampproject#4094
* Whitelist typography.com fonts ampproject#3749
@lannka
Copy link
Contributor

lannka commented Oct 26, 2016
edited

We saw a bug that
cloud.typography.com is doing a 302 redirect to a different domain, and the css is then blocked by CSP.

See example.

It works fine on the canonical page, but has problem on CDN.

Filed a separate bug here: #5844

@lannka lannka mentioned this issue Jun 6, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Gregable Gregable

Labels
Type: Feature Request
Projects
None yet
Milestone
Backlog Bugs
Development

No branches or pull requests
5 participants
@Gregable @cramforce @arajay @lannka @ericlindley-g