I am new to Content Security Policy and am trying to apply a policy like Google Fonts violates Content Security Policy to a page referencing a stylesheet from google: https://fonts.googleapis.com/css?family=Raleway:300,400,700
The issue I am running into is that in chrome the developer tools console tells me that the style-src rule is not set and it is defaulting to default-src. In IE I am not getting these warnings.
Here is the console Error:
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Raleway:300,400,700' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Here is a capture of my header with fiddler: Content-Security-Policy: default-src 'self' https:;script-src 'self' 'nonce-Ab4J0bSR7xiEFldCemz9' 'unsafe-eval';object-src 'self';style-src 'self' 'unsafe-inline' 'nonce-zGkHV0PmcLCJKhMH6H8V' https:;font-src 'self' https: data:
Is this a browser problem?
