Fixed: Content Security Policy Warnings in Magento 2

You can use this solution to solve the warning shown below:
Any doubts? If so, mention them in the Comments section below for me to help you out asap.
The following table describes each type of CSP to configure it for your custom code/extension/theme

Method to Fix Content Security Policy Warnings in Magento 2:

It’s an example of ‘script-src’ warning, you can use the below solution for such kind of similar warnings as per the above path and method.
In the value tag, enter the domain which is mentioned in the warning.
Something went wrong.

Here, we will use the default mode with zero value.
You can solve any kind of CSP warning by following the above method.
Thank You!
Thank you for subscribing.

CSP warning

  1. report – only – Magento reports the policy violations but does not act upon it. It is mainly used for debugging. CSP works in this mode by default.
  2. restrict mode – Magento acts in the case of policy violations.

Also, I’d be grateful if you can help me spread the word about the post among Magento Community via social media.
1. Create a csp_whitelist.xml file in VendorExtensionetc

  1. style-src:
  2. frame-src:
  3. connect-src:
  4. img-src:
  5. font-src:

2. Create a config.xml file in VendorExtensionetc

Ways to Add Whitelisted Resources to Custom Code

Do share your thoughts on Magento CSP in the Comments section below.

default-src The default policy.
base-url Defines which URLs can appear in a page’s <base> element.
child-src Defines the sources for workers and embedded frame contents.
connect-src Defines the sources that can be loaded using script interfaces.
font-src Defines which sources can serve fonts.
form-action Defines valid endpoints for submission from <form> tags.
frame-ancestors Defines the sources that can embed the current page.
frame-src Defines the sources for elements such as <frame> and <iframe>.
img-src  Defines the sources from which images can be loaded.
manifest-src  Defines the allowable contents of web app manifests.
media-src Defines the sources from which images can be loaded.
object-src  Defines the sources for the <object>, <embed>, and <applet> elements.
script-src  Defines the sources for JavaScript <script> elements.
style-src  Defines the sources for stylesheets.

CSP is implemented in Magento 2.3.5 with an aim to offer an additional layer of defence to detect and mitigate cross-site scripting and its related data injection attacks.
We have to pass a unique random id to the value field.
CSP, i.e., Content Security Policy is a robust tool introduced to prevent attacks on your Magento 2 store that aims to offer an additional layer of defence to detect and fight against Cross-Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. As of version Magento 2.3.5, it supports CSP headers and provides ways to configure them.
That’s it.
Content Security Policy works in two modes:

Get Weekly Updates

You can add a domain to the whitelist for a policy like script-src, style-src, font-src and others by adding a csp_whitelist.xml to your custom module’s etc folder.

Never miss Magento tips, tricks, tutorials, and news.
One can disable Magento 2 content security policy also. However, disabling CSP results in more possibilities of attacks on the store. Instead of blocking all third-party APIs completely, you can use the below solution and allow your selected third-party API as per your requirement.




(based on 1 Reviews)