4c64b52ea0
Enable truly custom fonts in themes while maintaining zero runtime network
requests. Theme authors can include font files in their GitHub repos, and
fonts are automatically downloaded and embedded as data: URIs at install
time — the same approach used for theme CSS itself.
Security model:
- @font-face blocks only allow data: URIs (no http/https/relative URLs)
- Font MIME types are validated (font/woff2, font/ttf, etc.)
- Individual font files capped at 2MB, total at 10MB
- @font-face properties are allowlisted (font-family, src, font-weight,
font-style, font-display, font-stretch, unicode-range only)
- Font-family names from @font-face are available in --font-* variables
- No runtime network requests — all fonts stored locally after install
Key additions:
- extractFontFaceBlocks(): parse @font-face from theme CSS
- validateFontFaceBlock(): validate properties and data: URIs
- splitDeclarations(): semicolon-aware parser that respects data: URIs
- embedThemeFonts(): fetch font files from GitHub, convert to data: URIs
- ThemeInstaller calls embedThemeFonts() during catalog theme installation
- 30+ new test cases for @font-face validation and security edge cases
Example theme CSS with custom fonts:
@font-face {
font-family: 'My Font';
src: url('./MyFont.woff2') format('woff2');
}
:root { --font-body: 'My Font', sans-serif; }
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
Getting Started
Actual is a local-first personal finance tool. It is 100% free and open-source, written in NodeJS, it has a synchronization element so that all your changes can move between devices without any heavy lifting.
If you are interested in contributing, or want to know how development works, see our contributing document we would love to have you.
Want to say thanks? Click the ⭐ at the top of the page.
Key Links
- Actual discord community.
- Actual Community Documentation
- Frequently asked questions
Installation
There are four ways to deploy Actual:
- One-click deployment via PikaPods (~1.40 $/month) - recommended for non-technical users
- Managed hosting via Fly.io (~1.50 $/month)
- Self-hosted by using a Docker image
- Local-only apps - downloadable Windows, Mac and Linux apps you can run on your device
Learn more in the installation instructions docs.
Ready to Start Budgeting?
Read about Envelope budgeting to know more about the idea behind Actual Budget.
Are you new to budgeting or want to start fresh?
Check out the community's Starting Fresh guide so you can quickly get up and running!
Are you migrating from other budgeting apps?
Check out the community's Migration guide to start jumping on the Actual Budget train!
Documentation
We have a wide range of documentation on how to use Actual, this is all available in our Community Documentation, this includes topics on Budgeting, Account Management, Tips & Tricks and some documentation for developers.
Contributing
Actual is a community driven product. Learn more about contributing to Actual.
Code structure
The Actual app is split up into a few packages:
- loot-core - The core application that runs on any platform
- desktop-client - The desktop UI
- desktop-electron - The desktop app
More information on the project structure is available in our community documentation.
Feature Requests
Current feature requests can be seen here. Vote for your favorite requests by reacting 👍 to the top comment of the request.
To add new feature requests, open a new Issue of the "Feature Request" type.
Translation
Make Actual Budget accessible to more people by helping with the Internationalization of Actual. We are using a crowd sourcing tool to manage the translations, see our Weblate Project. Weblate proudly supports open-source software projects through their Libre plan.
Repo Activity
Sponsors
Thanks to our wonderful sponsors who make Actual Budget possible!
