Content security policy
- Adobe Fonts User Guide
- Font licensing
- Font licensing
- Manage your account
- Licensing for Creative Cloud for enterprise customers
- Adding font licenses to your account
- Removing fonts from the subscription library
- Adobe Fonts not available to Adobe IDs registered in China
- Why aren't these fonts included in my Creative Cloud subscription?
- Morisawa font removal September 2021
- Getting and using fonts
- Using Adobe Fonts in Creative Cloud apps
- Manage your fonts
- Resolve missing fonts in desktop applications
- Using fonts in InDesign
- Fonts and typography
- Using web fonts in HTML5 Canvas documents
- Using fonts in InCopy
- How to use fonts in Adobe Muse
- Using web fonts in Muse
- Packaging font files
- Troubleshooting guide: Activating fonts
- Active fonts aren't added to font menu
- "Unable to activate one or more fonts" or "A font with the same name is already installed"
- What happens when a font I'm using is updated by the foundry?
- Web design and development
- Add fonts to your website
- Troubleshooting guide: Adding fonts to a website
- Using web fonts in HTML email or newsletters
- Using web fonts with Accelerated Mobile Pages (AMP)
- CSS selectors
- Customize web font performance with font-display settings
- Embed codes
- Dynamic subsetting & web font serving
- Font events
- Why are my web fonts from use.typekit.net?
- Site can't connect to use.typekit.net
- Using web fonts with CodePen
- Browser and OS support
- Using web fonts when developing locally
- Content security policy
- Printing web fonts
- Language support and OpenType features
- Font technology
The Content Security Policy (CSP) is a means for restricting which scripts and resources are allowed on your website. You could, for example, use CSP to stop external scripts from being executed on your website.
CSPs are not recommended for use with Adobe Fonts
While it is possible to use a CSP with web fonts from Adobe on the same page, we do not recommend it. The CSP policy does not allow you to set an exception for inline styles added by a script from a specific domain. If you specify an unsafe-inline exception for styles, it will apply to all styles from all domains.
Adobe Fonts uses inline styles and fonts as data URIs to provide our service, and making exceptions for these negates a lot of the protection provided by a CSP.
Using a CSP
The first directive is to allow scripts to load from our CDN, use.typekit.net:script-src 'self' use.typekit.net;
Next, you need to allow stylesheets from use.typekit.net and specify unsafe-inline to allow scripts from all domains (including use.typekit.net) to use inline styles. This is required for font events to work.style-src 'self' 'unsafe-inline' use.typekit.net;
The final requirement is an exception for images from p.typekit.net. Font loading uses a tracking image from this domain to calculate font usage and pay foundries appropriately for the use of their fonts.img-src 'self' p.typekit.net;
Optionally, you can add an exception for our performance metrics. Performance metrics are sent at random intervals and are used to monitor the performance of our font network.connect-src performance.typekit.net
You should combine these directives into a single policy and set the Content-Security-Policy header on all your HTTP(S) responses. To support older versions of Chrome, Firefox, and Safari, you’ll also need to include the X-Content-Security-Policy and X-WebKit-CSP headers. For more information, please refer to the W3C CSP specification.