Weird Insecure Google Font Response

I don’t know in what case you would use code like this, but there you go:

c.loadFonts=function(){""!=myFT.instantAds.CustomFont?c.addCSSRule("body","font-family:"+myFT.instantAds.CustomFont):""!=myFT.instantAds.GoogleFont&&(WebFontConfig={google:{families:[myFT.instantAds.GoogleFont]}},function(){var n=document.createElement("script");n.src="",n.type="text/javascript",n.async="true";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(n,t)}(),c.addCSSRule("body","font-family:"+myFT.instantAds.GoogleFont)),c.loadNext()}

Pull in fonts with instantAds (dynamic) variables and use Google’s WebFont JS Library to load in a Google Font, basically. What is curious though, is that even though the call to Google’s WebFont JS Library is a secure call, the links that it returns are not.

Defined in the manifest:

{"name":"GoogleFont", "type":"text","default":"Lato"}

The following results are from using the ‘Network’ options in ‘Inspect Element’ in Firefox.

URL Parameters:


The cURL.. now curl makes sense:

curl '' -H 'Host:' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'Accept: text/css,*/*;q=0.1' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer:' -H 'Connection: keep-alive'

The response:

@font-face {
  font-family: 'Lato';
  font-style: normal;
  font-weight: 400;
  src: local('Lato Regular'), local('Lato-Regular'), url( format('woff2');

A https:// version definitely exists, so why not return that? Especially when it’s Google and Yahoo that penalise ads for being insecure.