As part of the font-src
policy directive, fonts can only be loaded from whitelisted domains. When I enable a default CSP using Office UI Fabric, all fonts and icons are blocked from these locations:
https://static2.sharepointonline.com/files/fabric/assets/fonts/*
and https://spoprod-a.akamaihd.net/files/fabric/assets/icons/*
Is there documentation on the CDN locations used for fonts & icons? What domains do I need to whitelist to enable CSP for office ui fabric?
There is some discussion of CSP here but it specifically handles the style-src
directive, not the font-src
one.
Thanks
Niko
Sorry for the late answer here! The domains you listed are correct, and as far as I'm aware (I work on Fabric) they should stay the same at least while Fabric 7 is the current release.
Info about the CDN domains (and how to change them if you want to do that) is documented here for icons and here for general fonts.