Skip to content

Self-host Sen font to eliminate external CDN dependency #10964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Self-host Sen font to eliminate external CDN dependency #10964

Copilot wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Nov 12, 2025
edited
Loading

Security scanners flag the Google Fonts CDN reference for Sen font due to missing SRI hashes, which Google Fonts doesn't support. Self-hosting eliminates this external dependency and CSP concern.

Changes

Frontend:

  • Added Sen font WOFF2 files (weights 400/700/800, ~33 KB total) in versioned path fonts/sen/v1/
  • Replaced Google Fonts CDN reference with local CSS in index.html: 
    - <link href="https://fonts.googleapis.com/css2?family=Sen:wght@400;700;800&display=swap" rel="stylesheet" />
+ <link rel="stylesheet" href="::baseUriPath::fonts/sen/v1/sen.css" />
  • Included SIL Open Font License for compliance

Backend:

  • Added dedicated middleware in app.ts for font delivery with immutable caching: 
    app.use(
    `${baseUriPath}/fonts`,
    express.static(path.join(publicFolder, 'fonts'), {
        index: false,
        immutable: true,
        maxAge: '365d',
    }),
);

Versioned URL path enables future updates without cache issues. Material Symbols remains on Google Fonts CDN (different font, separate concern).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • download.cypress.io
    • Triggering command: /usr/local/bin/node index.js --exec install (dns block)
  • fonts.googleapis.com
    • Triggering command: curl -L REDACTED;700;800&amp;display=swap -H User-Agent: Mozilla/5.0 -o sen-font.css (dns block)
  • https://api.github.com/repos/google/fonts/contents/ofl/sen
    • Triggering command: curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Self-host Sen font instead of using Google Fonts</issue_title>
<issue_description>### Describe the feature request

Currently, the Unleash front-end loads the Sen font via Google Fonts (https://github.com/Unleash/unleash/blob/main/frontend/index.html#L17). This happens on all pages, including the login page.

As a result, public security scanners notice the lack of SRI integrity hash on this external resource, and can flag it as a finding.

Google Fonts' CDN doesn't support SRI (because they have some user-agent based dynamic logic) so it's not possible to add a hash to the current externally-hosted resource.

The Sen font is subject to the OFL, which allows free redistribution.

Given the performance benefits of using an external CDN are likely to be small (the Unleash HTML frontend is unlikely to see huge amounts of external visitors), would it be possible to include the font asset with Unleash, avoiding the external resource and SRI issues, and removing another external source from the CSP at the same time?

Background

Described above.

Solution suggestions

Include a WOFF2 version of the Sen font as a static asset distributed with the Unleash server, and serve this ourselves instead of referencing a CDN-hosted version.</issue_description>

<agent_instructions>Please inline the fonts as described in the issue. Please make sure to also add a unique URL for the font and immutable caching headers. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

@gastonfournier We'd need to validate the first render time and ensure that we cache this properly. @rmc47 would you be open to opening a PR? We'd be happy to look into it, provided the render time is not increasing significantly.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@vercel
Copy link

vercel bot commented Nov 12, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Updated (UTC)
unleash-docs Ignored Ignored Preview Nov 12, 2025 7:39am

Copilot AI changed the title [WIP] Self-host Sen font instead of using Google Fonts Self-host Sen font to eliminate external CDN dependency Nov 12, 2025
Copilot AI requested a review from ivarconr November 12, 2025 07:46
Copilot finished work on behalf of ivarconr November 12, 2025 07:46
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ivarconr ivarconr Awaiting requested review from ivarconr

At least 1 approving review is required to merge this pull request.

Assignees

@ivarconr ivarconr

Copilot code review Copilot

Labels

None yet

Projects

Issues and PRs
Status: New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Self-host Sen font instead of using Google Fonts

2 participants

@ivarconr