CSP for Typekit: A Practical Setup Guide
Adobe Typekit — now usually called Adobe Fonts — is one of those services that looks simple until CSP enters the room. You paste the embed code, the fonts load, everyone is happy. Then you lock down your site with Content Security Policy and suddenly your typography falls back to Arial. I’ve had this break in production more than once. The annoying part is that Typekit needs more than one CSP directive, and the exact domains matter. If you only allow scripts, the stylesheet gets blocked. If you allow styles but forget fonts, the CSS loads and the fonts still fail. Classic. ...