I got this CSP:
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline' fonts.googleapis.com; frame-src 'self'; font-src data: fonts.gstatic.com 'self'; frame-ancestors 'self';
For example, fonts.googleapis.com does not have a scheme or protocol (https: absent). Does it automatically mean that it is over secure HTTPs (if the current page/source is)? And would it be vulnerable to MiTM attacks? I think the documentation is not clear to me (the CSP evaluator of Google says 'Good')
Does it automatically mean that it is over secure HTTPs (if the current page/source is)?
Yes, schemeless host-source means that browser will follow the Same Origin Policy to restore actual scheme.
Therefore if page is loaded via HTTPS - all schemeless host-sources in CSP obtains https:// scheme.
And on HTTP-page all schemeless host-sources in CSP obtains http:// scheme, all nitty-gritty is here.
And would it be vulnerable to MiTM attacks?
It would be vulnerable only on HTTP-pages. Any HTTP page is vulnerable to MiTM, and a lot of russian ISPs still injects their Ads into customer visited pages using MiTM on HTTP.
Why don't you worried about 'self' usage? The 'self' means http://example.com on HTTP-page and https://example.com on HTTPS pages. So it's vulnerable the same way as schemeless fonts.googleapis.com usage.
BTW why do you load fonts from Google's CDN in 2021? This slow the site: 1, 2 and do not cached by browsers. Use https://google-webfonts-helper.herokuapp.com/fonts to extract fonts and store its locally and then use <link rel="preload" as="font" ... preloading.