Question: First run in development get CSP [Report Only] errors logged in the console

[aozora]

Hi,
after the setup, running in development the porject, I get the following errors logged to the browser console:

[Report Only] Refused to load the font 'data:font/truetype;charset=utf-8;base64,d09GRgABAAAAALY3ABIAAAABztAAAAAAAAC1QAAAAPcAAAHiAAAAAAAAAABHUE9TAACV9AAAFxIAAHKy/pn970dTVUIAAK0IAAAINQAAFD6g2KReTFRTSAAABtQAAAA6AAACQeO3nq5PUy8yAAACDAAAAFMAAABgZoZye2NtYXAAABxsAAADdwAABTpa8HPyY3Z0IAAAIbAAAAAoAAAAKAhGAbdmcGdtAAAf5AAAAQUAAAFzBpmcN2dhc3AAAJXoAAAADAAAAAwABwAHZ2x5ZgAAJkQAAGT0AADhaCjCChFoZG14AAAHEAAAFVwAADPIhU9AOGhlYWQAAAGUAAAANQAAADYFph12aGhlYQAAAcwAAAAgAAAAJAc2BPtobXR4AAACYAAABHEAAAj0jIVtDGxvY2EAACHYAAAEbAAABHyCc7p8bWF4cAAAAewAAAAgAAAAIARXAjxuYW1lAACLOAA...SCThVMYJIqZCqSu4rDezyzyKpY17tqhUyLsX30L+SQltAyggVZVqVMsLfPk1CNKvWoXtPreoMd2Ymd2YVd2S2+tbRTX92te3Sv7tP9egCjlnZ0oid96c/8LMkyrMgarMP67MDvNkYxV0uGjvOJFo+33umRlTnS48NR0ehv5tf6D/25M7IAAAB4AYVRRXfDMAz+K3q+jBc4DVyPmfGu56iNk9bKc9QO/ny5Y7iJP5DukGCGgtCjUDv2DZWsxsroHvmMA3jsUEM9TnoQx8NmHEMax+sKuqHdULlItRFFljsdCtZhW14qWh2mCiKj286Srwlc9vMROJ8M/Hcsak/njBZ6FrPHXtAKON/k7e/j0OQAb9h+mHVQhtg6Gm/r2TmjLVcvwbVymR6e31sY89p7uwn3o6Nvmx8XAmbUwVBOd48CVrkrwdWA8NYEbn69Ft3Z/AmDvFqGE2/fj78tvTlH0w9MfcpAGK7ZliRjjd2agD20SKpx8c34aPZXMwDpj6h5' because it violates the following Content Security Policy directive: "font-src 'self'".

localhost/:1 [Report Only] Refused to load the font 'data:font/truetype;charset=utf-8;base64, d09GRgABAAAAALM7AA8AAAABq0AAAAAAAACyRAAAAPcAAAHiAAAAAAAAAABHUE9TAACIDAAAIgQAAH82Ol56cUdTVUIAAKoQAAAIMwAAFD6gNKPBT1MvMgAAAdAAAABVAAAAYGbqc4pjbWFwAAAGbAAAA3wAAAU4Vch3gWN2dCAAAAwYAAAAQAAAAEAQPwNiZnBnbQAACegAAAEDAAABcwZZnDdnbHlmAAAQvAAAbJ4AAOZUwSn/MmhlYWQAAAFYAAAANgAAADYGApswaGhlYQAAAZAAAAAgAAAAJAdbBRtobXR4AAACKAAABEIAAAjwrN1ggGxvY2EAAAxYAAAEYgAABHqHyk9obWF4cAAAAbAAAAAgAAAAIARWA2ZuYW1lAAB9XAAAAoEAAAZuOd88j3Bvc3QAAH/gAAAIKgAAEi5ynk2NcHJlcAAACuwAAAEqAAACpAoaNTMAAQAAAAEAAA...STdLpgIn7fZCqSu5rDezyzyKpZz7vqhExLsEP0L+KQltJygoVYTqVM+PxDJaFaVekJvaE39RY7sTO7sCu7sbtQL3VQf92n+/WAHtRDehiopT2d6UU/BrAAS7EsK7Em67IBO/KnjVXM1dKhE3yixfOtb3pmZY70/HBUmjxmflv/BTgtM3AAeAGFUUV3wzAM/it6vowXOA1cj5nxrueojZPWynPUDv58uWO4iT+Q7pBghoLQo1A79g2VrMbK6B75jAN47FBDPU56EMfDZhxDGsfrCrqh3VC5SLURRZY7HQrWYVteKlodpgoio9vOkq8JXPbzETifDPx3LGpP54wWehazx17QCjjf5O3v49DkAG/Yfph1UIbYOhpv69k5oy1XL8G1cpkent9bGPPae7sJ96Ojb5sfFwJm1MFQTnePAla5K8HVgPDWBG5+vRbd2fwJg7xahhNv34+/Lb05R9MPTH3KQBiu2ZYkY43dmoA9tEiqcfHN+Gj2VzMA6Y+oeQ==' because it violates the following Content Security Policy directive: "font-src 'self'".

localhost/:1 [Report Only] Refused to load the font 'data:font/truetype;charset=utf-8;base64, d09GRgABAAAAAMjjABIAAAAB2mAAAAAAAADH7AAAAPcAAAHiAAAAAAAAAABHUE9TAACdfAAAIjcAAH80VqR1REdTVUIAAL+0AAAINwAAFD6g7KTPTFRTSAAABwQAAABHAAACQYV/Ri1PUy8yAAACDAAAAFQAAABgZ050kmNtYXAAAB1cAAAChQAAA/wdE0d/Y3Z0IAAAIdQAAAA0AAAANAq+BC1mcGdtAAAf5AAAAQUAAAFzBpmcN2dhc3AAAJ1wAAAADAAAAAwABwAHZ2x5ZgAAJnAAAGxKAADg/GpVnLBoZG14AAAHTAAAFhAAADPIAPyiAmhlYWQAAAGUAAAANQAAADYF/aZQaGhlYQAAAcwAAAAgAAAAJAdxBTBobXR4AAACYAAABKIAAAj0wQRTzWxvY2EAACIIAAAEZwAABHxHMIAQbWF4cAAAAewAAAAgAAAAIARXAs1uYW1lAACSvA...2hawUjGKWSTHlyN3B4j2cWs3I2964qIdNK7Bn7l3NIq2gNwdKsrkImONznSahSZTpEh+owvcW+7Mf+HMCBHCTUSS3UXS/oRb2kl/WKXkVU0IxWdKQr3VmSlVmNtdmIzdiSffjdhinO1apRR/hEi8+3rumZFRzp+eEo1XnM/Kz/ABXXNDcAeAGFUUV3wzAM/it6vowXOA1cj5nxrueojZPWynPUDv58uWO4iT+Q7pBghoLQo1A79g2VrMbK6B75jAN47FBDPU56EMfDZhxDGsfrCrqh3VC5SLURRZY7HQrWYVteKlodpgoio9vOkq8JXPbzETifDPx3LGpP54wWehazx17QCjjf5O3v49DkAG/Yfph1UIbYOhpv69k5oy1XL8G1cpkent9bGPPae7sJ96Ojb5sfFwJm1MFQTnePAla5K8HVgPDWBG5+vRbd2fwJg7xahhNv34+/Lb05R9MPTH3KQBiu2ZYkY43dmoA9tEiqcfHN+Gj2VzMA6Y+oeQ==' because it violates the following Content Security Policy directive: "font-src 'self'".

localhost/:1 

Shouldn't these tackled in the CSP header set in the custom server with helmet?

Thanks

[kentcdodds]

It looks like you've got something trying to dynamically add a font via a data uri. I'm guessing this is a library you've installed.

That's pretty sub-optimal, but you can update the CSP to support that if you're ok with the added vulnerability surface area. I'm on mobile so it's hard for me to give an example, but I'll bet ChatGPT could help.

[aozora]

Sorry Kent, maybe I was not clear: this happens at the first run of a new Epic Stack , just after I had finished the setup with npx create-epic-app@latest. I didn't installed anything...

[kentcdodds]

I'm guessing this is coming from a browser extension you have installed. Try running the app without any extensions (using another browser or incognito mode).