Fixed: Content Security Policy Warnings in Magento 2

Fixed: Content Security Policy Warnings in Magento 2

CSP, i.e., Content Security Policy is a robust tool introduced to prevent attacks on your Magento 2 store that aims to offer an additional layer of defence to detect and fight against Cross-Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. As of version Magento 2.3.5, it supports CSP headers and provides ways to configure them.

One can disable Magento 2 content security policy also. However, disabling CSP results in more possibilities of attacks on the store. Instead of blocking all third-party APIs completely, you can use the below solution and allow your selected third-party API as per your requirement.

CSP is implemented in Magento 2.3.5 with an aim to offer an additional layer of defence to detect and mitigate cross-site scripting and its related data injection attacks.

Method to Fix Content Security Policy Warnings in Magento 2:

You can use this solution to solve the warning shown below:

CSP warning

1. Create a csp_whitelist.xml file in Vendor\Extension\etc

You can add a domain to the whitelist for a policy like script-src, style-src, font-src and others by adding a csp_whitelist.xml to your custom module’s etc folder.

We have to pass a unique random id to the value field.

In the value tag, enter the domain which is mentioned in the warning.

2. Create a config.xml file in Vendor\Extension\etc

Content Security Policy works in two modes:

  1. report – only – Magento reports the policy violations but does not act upon it. It is mainly used for debugging. CSP works in this mode by default.
  2. restrict mode – Magento acts in the case of policy violations.

Here, we will use the default mode with zero value.

It’s an example of ‘script-src’ warning, you can use the below solution for such kind of similar warnings as per the above path and method.

  1. style-src:

  2. frame-src:

  3. connect-src:

  4. img-src:

  5. font-src:

You can solve any kind of CSP warning by following the above method.

Ways to Add Whitelisted Resources to Custom Code

The following table describes each type of CSP to configure it for your custom code/extension/theme

default-srcThe default policy.
base-urlDefines which URLs can appear in a page’s <base> element.
child-srcDefines the sources for workers and embedded frame contents.
connect-srcDefines the sources that can be loaded using script interfaces.
font-srcDefines which sources can serve fonts.
form-actionDefines valid endpoints for submission from <form> tags.
frame-ancestorsDefines the sources that can embed the current page.
frame-srcDefines the sources for elements such as <frame> and <iframe>.
img-src Defines the sources from which images can be loaded.
manifest-src Defines the allowable contents of web app manifests.
media-srcDefines the sources from which images can be loaded.
object-src Defines the sources for the <object>, <embed>, and <applet> elements.
script-src Defines the sources for JavaScript <script> elements.
style-src Defines the sources for stylesheets.

That’s it.

Any doubts? If so, mention them in the Comments section below for me to help you out asap.

Do share your thoughts on Magento CSP in the Comments section below.

Also, I’d be grateful if you can help me spread the word about the post among Magento Community via social media.

Thank You!

Get Weekly Updates

Never miss Magento tips, tricks, tutorials, and news.

Thank you for subscribing.

Something went wrong.

(based on 14 Reviews)

Ronak is a Magento Developer at Meetanshi. He loves playing cricket. Apart from the work, he is an enthusiastic person who loves learning new skills.

Leave a reply:

Your email address will not be published.