meteor-mathjax icon indicating copy to clipboard operation
meteor-mathjax copied to clipboard
verified publisher icon apendua

Browser Policy

Open CoolestNerdIII opened this issue 9 years ago • 7 comments

Hey! Quick question and I hope I am not missing something basic, but when implementing MathJax, I am also using browser-policy, and am receiving issues with loading the font. Specifically the error is:

Refused to load the font 'about:blank' because it violates the following Content Security Policy directive: "font-src 'self

Is there a specific browser policy that is necessary when loading in MathJax that you would be aware of? I have allowed loading from mathjax.org. Any assistance would be greatly appreciated.

CoolestNerdIII avatar Aug 10 '16 20:08 CoolestNerdIII

That's interesting. Can you please verify if MathJax works if you load it directly? i.e. without using the meteor-mathjax package and simply adding <script> tag with the correct source.

I am loading it from the following source:

MeteorMathJax.sourceUrl = 'https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML';

which can be changed BTW, by overwriting the sourceUrl property.

apendua avatar Aug 10 '16 20:08 apendua

Leaving a comment on an old issue because this came up in a Google search for the CSP violation. See https://github.com/mathjax/MathJax-docs/wiki/JavaScript-MathJax_Blank-font-error and mathjax/MathJax#256: MathJax purposefully loads a non-existent font to test browser behaviour.

It’s possible to add font-src about: to your CSP to avoid reporting this, but the security implications of this are left as an exercise for the reader…

cmbuckley avatar Feb 25 '22 00:02 cmbuckley

@cmbuckley I am happy to accept a PR if you have an idea how to approach this.

apendua avatar Feb 25 '22 10:02 apendua

Unfortunately, I don’t think there’s an easy solution. MathJax does this behaviour by design, so users either need to accept the behaviour, or accept the CSP violation!

cmbuckley avatar Feb 25 '22 10:02 cmbuckley

@cmbuckley

MathJax purposefully loads a non-existent font to test browser behaviour.

Then perhaps, this is a good issue to report at MathJax directly?

https://github.com/mathjax/MathJax

apendua avatar Feb 25 '22 10:02 apendua

You’ll notice I linked a MathJax issue from 2012 in my first comment. As I say, this is by design, so I don’t think there’s anything that can be done!

cmbuckley avatar Feb 25 '22 10:02 cmbuckley

@cmbuckley Ah, you're completely right. Sorry about missing that detail. I am quite distracted today.

apendua avatar Feb 25 '22 10:02 apendua