Weird Insecure Google Font Response


I don’t know in what case you would use code like this, but there you go:

c.loadFonts=function(){""!=myFT.instantAds.CustomFont?c.addCSSRule("body","font-family:"+myFT.instantAds.CustomFont):""!=myFT.instantAds.GoogleFont&&(WebFontConfig={google:{families:[myFT.instantAds.GoogleFont]}},function(){var n=document.createElement("script");n.src="https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js",n.type="text/javascript",n.async="true";var t=document.getElementsByTagName("script")[0];t.parentNode.insertBefore(n,t)}(),c.addCSSRule("body","font-family:"+myFT.instantAds.GoogleFont)),c.loadNext()}

Pull in fonts with instantAds (dynamic) variables and use Google’s WebFont JS Library to load in a Google Font, basically. What is curious though, is that even though the call to Google’s WebFont JS Library is a secure call, the links that it returns are not.

Defined in the manifest:

{"name":"GoogleFont", "type":"text","default":"Lato"}

The following results are from using the ‘Network’ options in ‘Inspect Element’ in Firefox.

URL Parameters:

family=Lato

The cURL.. now curl makes sense:

curl 'http://fonts.googleapis.com/css?family=Lato' -H 'Host: fonts.googleapis.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'Accept: text/css,*/*;q=0.1' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://www.site.net/index.html' -H 'Connection: keep-alive'

The response:

@font-face {
  font-family: 'Lato';
  font-style: normal;
  font-weight: 400;
  src: local('Lato Regular'), local('Lato-Regular'), url(http://fonts.gstatic.com/s/lato/v11/MDadn8DQ_3oT6kvnUq_2r_esZW2xOQ-xsNqO47m55DA.woff2) format('woff2');
}

A https:// version definitely exists, so why not return that? Especially when it’s Google and Yahoo that penalise ads for being insecure.