。Net Core 3.1的Joonasw.AspNetCore.SecurityHeaders的配置内容安全策略

我的应用程序必须使用Google字体。这里的链接

<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600,100|Raleway:400,600,100" rel="stylesheet" >
<link href="https://fonts.googleapis.com/css?family=Roboto&display=swap" rel="stylesheet" >

浏览器由于content security policy而阻止了该请求。然后，我正在使用Joonasw.AspNetCore.SecurityHeaders。这是我在Startup.cs

public void Configure(IApplicationBuilder app, IWebHostEnvironment env) {

app.UseSerilogRequestLogging();

if (env.IsDevelopment()) {
    app.UseDeveloperExceptionPage();
}
else {
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    //app.UseHsts();
}

app.UseHsts(new HstsOptions(TimeSpan.FromDays(30), includeSubDomains: false, preload: false));

// Use certificate pinning with:
// - 30-day caching period
// - One pin in SHA-256 form
// - Report-Only = Invalid certificate should not be reported, but:
// - Report problems to /hpkp-report
app.UseHpkp(hpkp = >{
    hpkp.UseMaxAgeSeconds(30 * 24 * 60 * 60).AddSha256Pin("nrmpk4ZI3wbRBmUZIT5aKAgP0LlKHRgfA2Snjzeg9iY=").SetReportOnly().ReportViolationsTo("/hpkp-report");
});

app.UseCsp(csp = >{
    // If nothing is mentioned for a resource class, allow from this domain
    csp.ByDefaultAllow.FromSelf();

    // Allow JavaScript from:
    csp.AllowScripts.FromSelf() //This domain                    
    .From("cdnjs.cloudflare.com").AddNonce(); //<----;
    // CSS allowed from:
    csp.AllowStyles.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com").AddNonce(); //<----;
    csp.AllowImages.FromSelf();

    // HTML5 audio and video elemented sources can be from:
    csp.AllowAudioAndVideo.FromNowhere();

    // Contained iframes can be sourced from:
    csp.AllowFrames.FromNowhere(); //Nowhere, no iframes allowed
    // Allow AJAX, WebSocket and EventSource connections to:
    csp.AllowConnections.To("ws://localhost:1591").To("http://localhost:1591").ToSelf();

    // Allow fonts to be downloaded from:
    csp.AllowFonts.FromSelf().From("fonts.googleapis.com").From("fonts.gstatic.com");

    // Allow object, embed, and applet sources from:
    csp.AllowPlugins.FromNowhere();

    // Allow other sites to put this in an iframe?
    csp.AllowFraming.FromNowhere(); // Block framing on other sites, equivalent to X-Frame-Options: DENY
    //// Do not block violations, only report
    //// This is a good idea while testing your CSP
    //// Remove it when you know everything will work
    //csp.SetReportOnly();
    //// Where should the violation reports be sent to?
    //csp.ReportViolationsTo("/csp-report");
    // Do not include the CSP header for requests to the /api endpoints
    csp.OnSendingHeader = context = >{
        context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/api");
        return Task.CompletedTask;
    };
});

app.Use((context, next) = >{
    context.Request.Scheme = "https";

    return next();
});

app.UseCors("api");

app.UseStaticFiles();

app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();

app.UseEndpoints(endpoints = >{
    endpoints.MapDefaultControllerRoute();
});

//app.UseHttpsRedirection();
app.UseSwagger();
app.UseSwaggerUI(c = >{
    c.SwaggerEndpoint("/swagger/v1/swagger.json", "API V1");
});

但是仍然显示相同的错误。这里的截图

这里是请求示例，不确定为什么没有在请求上注入安全头

我是否配置错误？使用.net core 3.1