htmlcontent-security-policymeta-tags

Html Error: Refused to load the script because it violates the following Content Security Policy directive

Font awesome is not loading please help. I need to use font awesome icons but I am getting this error. Refused to load the script 'https://use.fontawesome.com/a780df76b3.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0" />
    <meta name="google-site-verification" content="3WujPQ31psszBWWagcwEXBhSUGSZreEvBe4ax5T1i2E" />
    <title>Authenticate</title>
    <link href="https://unpkg.com/tailwindcss@^2/dist/tailwind.min.css" rel="stylesheet" />
    <link rel="preconnect" href="https://fonts.gstatic.com" />
    <link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@500&display=swap" rel="stylesheet" />

    <style>
        * {
            font-family: "Montserrat", sans-serif;
        }

        .google {
            margin-left: 630px;
            margin-bottom: 100px;
            margin-top: 80px;
        }

        .title {
            font-family: "Montserrat", sans-serif;
        }
        .google{
            margin: 0 auto;
            color: #111
        }

        .github {
            margin: 0 auto;
            color: #111
        }
    </style>
    <script  defer src="https://use.fontawesome.com/a780df76b3.js"></script>

</head>

<body>
    <h1 class="text-xl font-black my-9 text-center mx-auto title">
        Authenticate to start using
    </h1>
    <a id="google-button" class="btn btn-block btn-social btn-google google" href="/auth/google/">
        <i class="fa fa-google"></i> Login with Google
    </a>
    <!--Github-->
    <a id="github-button" class="btn btn-block btn-social btn-github github" href="/auth/github/">
        <i class="fa fa-github"></i> Login with GitHub
    </a>





</body>

</html>

It's showing this enter image description here

Solution

  • As you can see at "Run code snippet", your code work fine here. Therefore the reason is in your web-server - it's publish the Content Security Policy "script-src 'self'" by default.

    Just add https://use.fontawesome.com host-source to the script-src directive:
    "script-src 'self' https://use.fontawesome.com".

    Or switch CSP off if you do not know what is it. Because with default CSP settings also will be blocked at least: https://unpkg.com/tailwindcss@^2/dist/tailwind.min.css, https://fonts.gstatic.com and https://fonts.googleapis.com in the style-src and script-src directives.

    Since you have not specified what is used as a server, I'll try to guess: Node.js + Helmet 4 to manage security headers.
    To disable the contentSecurityPolicy middleware in Helmet but keeps the rest headers:

    helmet({
  contentSecurityPolicy: false,
})