Good Morning,
I have just tried installing an SSL Certificate on a site which told me that there were unsecure items on the page. I have traced this to the Google Fonts import. Upon changing this in the style.css file my site is now secure. Maybe this should be changed in the source.

I then tried my website on the http connection and everything works correctly - so they can be entered as https:// in the css.

Bryn

CommentFileSizeAuthor
#9 insecure-warnings-google-fonts-ssl-1670748-7104150-2.patch1.21 KBdanny englander
#8 insecure-warnings-google-fonts-ssl-1670748-7104150.patch1.12 KBdanny englander

Comments

devsaran’s picture

devsaran commented
Status: Active » Closed (fixed)

For SSL,

You need to do code changes in style.css.. Change from

@import url(http://fonts.googleapis.com/css?family=Open+Sans:400,700,800,300);
@import url(http://fonts.googleapis.com/css?family=Bitter:400,700);

to 

@import url(https://fonts.googleapis.com/css?family=Open+Sans:400,700,800,300);
@import url(https://fonts.googleapis.com/css?family=Bitter:400,700);
Homotechsual’s picture

Homotechsual commented

You can also download the font packages from Google Web Fonts and host these locally to reduce cross-site requests.

alibama’s picture

alibama commented

confirmed that #1 works fine - any reason not to commit this or is there a better solution all together?
Thanks
ap

Homotechsual’s picture

Homotechsual commented

The reason not to commit this is that not everyone wants SSL webfonts. This needs to become a theme option if it's committed with a simple on/off switch.

Failing that - bundle the google webfonts used into the theme. This is permitted as most google webfonts are GPL licensed afaik.

danny englander’s picture

danny englander
(he/him)
commented

Actually the proper way to do this so it will work with secure and non secure sites is to take off the http(s) entirely. It's best done as a template preprocess function. For example:

function YOURTHEME_preprocess_html(&$variables) {
  drupal_add_css('//fonts.googleapis.com/css?family=Open+Sans:400,700,800,300',array('type' => 'external'));
}

I'm not sure if this will work as @import though. I solved a recent issue for my theme this way:

#1921294: Google Fonts cause unsecure warnings when using SSL

Homotechsual’s picture

Homotechsual commented

highrockmedia That's great advice!

danny englander’s picture

danny englander
(he/him)
commented
Status: Closed (fixed) » Needs work

Going to open this back up to supply a proper patch when I have some time.

danny englander’s picture

danny englander
(he/him)
commented
Title: SSL Security & Fonts » Insecure warnings using SSL with Google fonts
Version: 7.x-1.2 » 7.x-1.6
Status: Needs work » Needs review
StatusFileSize
new insecure-warnings-google-fonts-ssl-1670748-7104150.patch1.12 KB

Here is a patch for this. If we could get someone to test this with SSL, it would be great. I tested and did not have any issues but I did not have an SSL environment to test with. However, it should be fine otherwise.

Also to saran.quardz, the maintainer of this theme, when you commit this patch, please be sure to give proper attribution as such:
--author="highrockmedia <highrockmedia@406120.no-reply.drupal.org>"

You need to pass this option to git commit

If you have questions about this, see: Adding a commit author

Thank you.

danny englander’s picture

danny englander
(he/him)
commented
StatusFileSize
new insecure-warnings-google-fonts-ssl-1670748-7104150-2.patch1.21 KB

Updating patch to include all the fonts that had been in style.css (added 'Bitter'). Disregard the patch from #8 above.