User Guide Cancel

Content security policy

The Content Security Policy (CSP) is a means for restricting which scripts and resources are allowed on your website. You could, for example, use CSP to stop external scripts from being executed on your website.

CSPs are not recommended for use with Adobe Fonts

While it is possible to use a CSP with web fonts from Adobe on the same page, we do not recommend it.  The CSP policy does not allow you to set an exception for inline styles added by a script from a specific domain. If you specify an unsafe-inline exception for styles, it will apply to all styles from all domains.

Adobe Fonts uses inline styles and fonts as data URIs to provide our service, and making exceptions for these negates a lot of the protection provided by a CSP. 

Using a CSP

If you do wish to use a CSP, follow these instructions to properly set your security directives. Take care, as failure to properly follow all of these instructions could result in an inadvertent violation of the Terms of Use for the web font service.

  1. The first directive is to allow scripts to load from our CDN, use.typekit.net:

    script-src 'self' use.typekit.net;
  2. Next, you need to allow stylesheets from use.typekit.net and specify unsafe-inline to allow scripts from all domains (including use.typekit.net) to use inline styles. This is required for font events to work.

    style-src 'self' 'unsafe-inline' use.typekit.net;
  3. The final requirement is an exception for images from p.typekit.net. Font loading uses a tracking image from this domain to calculate font usage and pay foundries appropriately for the use of their fonts.

    img-src 'self' p.typekit.net;
  4. Optionally, you can add an exception for our performance metrics. Performance metrics are sent at random intervals and are used to monitor the performance of our font network.

    connect-src performance.typekit.net

You should combine these directives into a single policy and set the Content-Security-Policy header on all your HTTP(S) responses. To support older versions of Chrome, Firefox, and Safari, you’ll also need to include the X-Content-Security-Policy and X-WebKit-CSP headers. For more information, please refer to the W3C CSP specification.

Get help faster and easier

New user?