Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.78.2.29 -r1.78.2.30
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl	13 Sep 2016 08:23:29 -0000	1.78.2.29
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl	15 Sep 2016 07:23:38 -0000	1.78.2.30
@@ -2056,6 +2056,12 @@
         security::csp::require font-src 'self'
 
         #
+        # Some browser (safari, chrome) need "font-src data:", maybe
+        # for plugins or diffent font settings. Seems safe enough.
+        #
+        security::csp::require font-src data:
+        
+        #
         # Always add the nonce-token to script-src. Note, that nonce
         # definition comes via CSP 2, which - at the current time - is
         # not supported by all browsers interpreting CSPs. We could