Summary

fonts.googleapis.com is blocked by the Content Security Policy style-src directive, which only permits 'self' 'unsafe-inline' https://cdn.jsdelivr.net. Google Fonts requests fail with a CSP violation.

Steps to Reproduce

Load the WebUI and open the browser DevTools console. Any page load that requests a Google Fonts stylesheet will show:

Refused to load the stylesheet 'https://fonts.googleapis.com/...' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net"

Expected Behavior

Google Fonts stylesheets load successfully (if used), or the CSP directive is intentional and no Google Fonts requests are made from the app.

Actual Behavior

CSP violation logged in browser console. If any skin or theme relies on a Google Fonts URL, the font fails to load silently.

Fix

Either:

1. Add https://fonts.googleapis.com to the style-src directive in the CSP header (in api/routes.py or wherever headers are set)
2. Audit whether any Google Fonts URLs are actually referenced — if none are, investigate the source of the request (a skin file, a CDN CSS that pulls Google Fonts transitively, etc.)

Source

Reported by @vishnukool in Discord #report-bugs. Also related: #1100 (Prism.js SRI hash mismatch — separate issue filed separately).