Adobe fonts (typekit) not loading in zoom app, getting a 403 error. Works in any browser

nselvidge · September 29, 2022, 7:05pm

Zoom Apps Configuration

React frontend with node.js backend. Adobe web fonts for font styling

Description

Adobe typekit fonts won’t load in the zoom client app. I get a 403 response on the resource, but don’t get this response when loading the font in any other browser. When I make the exact same request (copy request as in the dev tools) with cURL it’s successful, but when the request is made by the zoom client it fails.

Error?

GET https://use.typekit.net/uuq3xbu.css net::ERR_ABORTED 403 (Blocked)

Troubleshooting Routes
I’ve tried checking if there are any missing headers from the request, but the exact same request made from any other browser (edge, chrome, cURL, fetch) works fine.
I’ve also tried changing the link tag attributes to different combinations

// default provided by adobe
    <link
      rel="stylesheet"
      href="https://use.typekit.net/uuq3xbu.css"
    />


// referrer and role tags
    <link
      rel="stylesheet"
      as="font"
      referrerpolicy="no-referrer"
      href="https://use.typekit.net/uuq3xbu.css"
    />


// crossorigin 
    <link
      rel="stylesheet"
      as="font"
      referrerpolicy="no-referrer"
      crossorigin="anonymous"
      href="https://use.typekit.net/uuq3xbu.css"
    />

adding the crossorigin tag makes the request fail with a new error of

       Access to CSS stylesheet at 'https://use.typekit.net/uuq3xbu.css' from origin 'https://emergence.ngrok.io' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

but this error also does not occur in any other web client

How To Reproduce
add this link tag to a zoom app:

    <link
      rel="stylesheet"
      href="https://use.typekit.net/uuq3xbu.css"
    />

Appreciate if anyone has some guidance to offer on how the stylesheet will be loaded differently in the zoom client!

shariq.torres · September 29, 2022, 7:16pm

Did you add the Adobe Typekit domain to the OSWAP headers? If it doesn’t have an entry there then the Zoom App will block that request. In particular you want to pay attention to the Content-Security-Policy.

nselvidge · September 29, 2022, 7:38pm

Thanks for the reply @shariq.torres . I did add *.typekit.net to the Content-Security-Policy header, but not sure if one of my other headers may be interfering

 reply.headers({
          "Strict-Transport-Security": "max-age=31536000 ; includeSubDomains",
          "X-Content-Type-Options": "nosniff",
          "Content-Security-Policy":
            "default-src 'self' *.typekit.net;  style-src 'self' 'unsafe-inline' *.typekit.net",
          "Referrer-Policy": "origin-when-cross-origin",
   });

shariq.torres · September 29, 2022, 9:05pm

If you want to include the Typekit CSS you would need to alter the style-src from self to use.typekit.net. The default-src is for Javascript files.

nselvidge · September 29, 2022, 9:09pm

style-src includes *.typekit.net (the last item in the list). The wildcard subdomain should still work right?

nselvidge · September 29, 2022, 9:12pm

I also just now tried with both the default-src and the style-src set to allow use.typekit.net with no luck


        reply.headers({
          "Strict-Transport-Security": "max-age=31536000 ; includeSubDomains",
          "X-Content-Type-Options": "nosniff",
          "Content-Security-Policy":
              "default-src 'self' use.typekit.net;  style-src 'self' 'unsafe-inline' use.typekit.net",
          "Referrer-Policy": "origin-when-cross-origin",
        });

shariq.torres · September 29, 2022, 9:14pm

What about using https://use.typekit.net? The docs on the headers say that a host-source has the protocol as well (CSP source values - HTTP | MDN)

nselvidge · September 29, 2022, 9:21pm

hmm yeah no luck there either:

nselvidge · October 1, 2022, 12:02am

Also want to point out that this same request with the same content security headers works in chrome and edge browsers, but fails in the zoom client. If I remove *.typekit.net from the content security policy, then chrome and edge will block the request. With that present chrome and edge will allow the request. Seems to be specific to how zoom’s client handles the request.

MaxM · October 5, 2022, 6:56pm

@nselvidge Are you seeing any errors in the JavaScript console or network tab within the Zoom Client when testing this out? Please share those here if so.

In the meantime, you can try adding the domain to the domain allow list within the Zoom Marketplace Page.

Let me know if that helps.

nselvidge · October 26, 2022, 7:00pm

Thanks for reaching out Max.

Wanted to follow up in here because I was able to get this working.

I had tried having use.typekit.net in my zoom marketplace domain whitelist, and I tried typekit.net in my domain whitelist, but I had not tried allowing both. When I added both use.typekit.net and typekit.net (then later added p.typekit.net since it was referenced in the imported css) it began working.

Seems like I needed to list both the TLD and the subdomain separately in the zoom marketplace settings.

MaxM · October 27, 2022, 6:15pm

Thanks for sharing your solution @nselvidge! Out of curiosity, does using a wildcard work too?

Such as: *.typekit.net

Topic		Replies	Views
I have created the zoom app, it's still in the testing phase. When I try to open the app in the zoom client. It display the blank page Zoom Apps	13	903	November 20, 2022
Loading Web SDK 1.9.1 returns 403 AccessDenied Web	2	1222	April 12, 2021
Access denied on CDN Web	3	754	March 21, 2021
Failed to load resource: the server responded with a status of 403 () zoom-meeting-1.7.9.min.js:1 Web	18	4240	July 1, 2021
Zoom Styles Issues Web	2	1208	August 21, 2020

Adobe fonts (typekit) not loading in zoom app, getting a 403 error. Works in any browser

Related Topics