{"id":1716,"date":"2021-04-25T11:59:12","date_gmt":"2021-04-25T11:59:12","guid":{"rendered":"https:\/\/meetanshi.com\/blog\/fixed-content-security-policy-warnings-in-magento-2\/"},"modified":"2025-05-22T10:37:23","modified_gmt":"2025-05-22T05:07:23","slug":"fixed-content-security-policy-warnings-in-magento-2","status":"publish","type":"post","link":"https:\/\/meetanshi.com\/blog\/fixed-content-security-policy-warnings-in-magento-2\/","title":{"rendered":"Fixed: Content Security Policy Warnings in Magento 2"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">CSP, i.e.,&nbsp;<a href=\"https:\/\/developer.adobe.com\/commerce\/php\/development\/\" target=\"_blank\" rel=\"noreferrer noopener\">Content Security Policy<\/a>&nbsp;is a robust tool introduced to prevent attacks on your Magento 2 store that aims to offer an additional layer of defence to detect and fight against Cross-Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. As of version&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/magento-2-3-5-release\/\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2.3.5<\/a>, it supports CSP headers and provides ways to configure them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One can&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/disable-magento-2-content-security-policy\/\" target=\"_blank\" rel=\"noreferrer noopener\">disable Magento 2 content security policy<\/a>&nbsp;also. However, disabling CSP results in more possibilities of attacks on the store. Instead of blocking all third-party APIs completely, you can use the below solution and allow your selected third-party API as per your requirement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/developer.adobe.com\/commerce\/docs\/#substantial-security-enhancements\" target=\"_blank\" rel=\"noreferrer noopener\">CSP is implemented in Magento 2.3.5<\/a>&nbsp;with an aim to offer an additional layer of defence to detect and mitigate cross-site scripting and its related data injection attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Method to Fix Content Security Policy Warnings in Magento 2:<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You can use this solution to solve the warning shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/meetanshi.com\/blog\/wp-content\/uploads\/2021\/04\/Screenshot-at-April-12th-2021-11.11.35-am.png\" alt=\"CSP warning\" class=\"wp-image-14415\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">1. Create a&nbsp;<strong>csp_whitelist.xml<\/strong>&nbsp;file in&nbsp;<strong><strong>Vendor\\Extension\\etc<\/strong><\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;? xml version = \"1.0\"?>\n&lt;csp_whitelist xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n               xsi:noNamespaceSchemaLocation=\"urn:magento:module:Magento_Csp\/etc\/csp_whitelist.xsd\">\n    &lt;policies>\n        &lt;policy id=\"script-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"uniqueId\" type=\"host\">accounts.google.com&lt;\/value>\n            &lt;\/values>\n        &lt;\/policy>\n    &lt;\/policies>\n&lt;\/csp_whitelist><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can add a domain to the whitelist for a policy like script-src, style-src, font-src and others by adding a csp_whitelist.xml to your custom module\u2019s etc folder.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We have to pass a unique random id to the value field.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the value tag, enter the domain which is mentioned in the warning.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2. Create a&nbsp;<strong>config.xml<\/strong>&nbsp;file in&nbsp;<strong><strong>Vendor\\Extension\\etc<\/strong><\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;?xml version=\"1.0\"?>\n&lt;config xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n        xsi:noNamespaceSchemaLocation=\"urn:magento:module:Magento_Store:etc\/config.xsd\">\n    &lt;default>\n        &lt;csp>\n            &lt;mode>\n                &lt;storefront>\n                    &lt;report_only>0&lt;\/report_only>\n                &lt;\/storefront>\n                &lt;admin>\n                    &lt;report_only>0&lt;\/report_only>\n                &lt;\/admin>\n            &lt;\/mode>\n        &lt;\/csp>\n    &lt;\/default>\n&lt;\/config><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Content Security Policy works in two modes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>report \u2013 only<\/strong>&nbsp;\u2013 Magento reports the policy violations but does not act upon it. It is mainly used for debugging. CSP works in this mode by default.<\/li>\n\n\n\n<li><strong>restrict mode<\/strong>&nbsp;\u2013 Magento acts in the case of policy violations.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we will use the default mode with zero value.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s an example of \u2018script-src\u2019 warning, you can use the below solution for such kind of similar warnings as per the above path and method.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. style-src:<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"> &lt;policy id=\"style-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/accounts.google.com\/gsi\/style&lt;\/value>\n            &lt;\/values>\n &lt;\/policy><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. frame-src:<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"> &lt;policy id=\"frame-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/accounts.google.com&lt;\/value>\n            &lt;\/values>\n &lt;\/policy><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. connect-src:<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"> &lt;policy id=\"connect-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/accounts.google.com\/gsi\/status&lt;\/value>\n            &lt;\/values>\n &lt;\/policy><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>4. img-src:<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"> &lt;policy id=\"img-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"meetanshi-image\" type=\"host\">https:\/\/meetanshi.com\/media.png&lt;\/value>\n            &lt;\/values>\n &lt;\/policy><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>5. font-src:<\/strong><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"> &lt;policy id=\"font-src\">\n            &lt;values>\n                &lt;value id=\"uniqueId\" type=\"host\">https:\/\/domain.com&lt;\/value>\n                &lt;value id=\"uniqueId\" type=\"host\">*.gstatic.com&lt;\/value>\n            &lt;\/values>\n &lt;\/policy><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can solve any kind of CSP warning by following the above method.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-csps-for-your-custom-codeextensiontheme\">Ways to Add Whitelisted Resources to Custom Code<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The following table describes each type of CSP to configure it for your custom code\/extension\/theme<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also, I\u2019d be grateful if you can help me spread the word about the post among Magento Community via social media.Thank You!<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th colspan=\"2\">CSP Code &amp; Description<\/th><\/tr><tr><th><strong>CSP Code<\/strong><\/th><th><strong>Description<\/strong><\/th><\/tr><\/thead><tbody><tr><td>default-src<\/td><td>The default policy.<\/td><\/tr><tr><td>base-url<\/td><td>Defines which URLs can appear in a page\u2019s &lt;base&gt; element.<\/td><\/tr><tr><td>child-src<\/td><td>Defines the sources for workers and embedded frame contents.<\/td><\/tr><tr><td>connect-src<\/td><td>Defines the sources that can be loaded using script interfaces.<\/td><\/tr><tr><td>font-src<\/td><td>Defines which sources can serve fonts.<\/td><\/tr><tr><td>form-action<\/td><td>Defines valid endpoints for submission fromtags.<\/td><\/tr><tr><td>frame-ancestors<\/td><td>Defines the sources that can embed the current page.<\/td><\/tr><tr><td>img-src<\/td><td>Defines the sources from which images can be loaded.<\/td><\/tr><tr><td>manifest-src<\/td><td>Defines the allowable contents of web app manifests.<\/td><\/tr><tr><td>media-src<\/td><td>Defines the sources from which images can be loaded.<\/td><\/tr><tr><td>object-src&nbsp;<\/td><td>Defines the sources for the&nbsp;<object width=\"300\" height=\"150\"><\/object><\/td><\/tr><tr><td>script-src&nbsp;<\/td><td>Defines the sources for JavaScript elements.<\/td><\/tr><tr><td>style-src&nbsp;<\/td><td>Defines the sources for stylesheets.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">That\u2019s it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Also, I\u2019d be grateful if you can help me spread the word about the post among Magento Community via social media.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thank You!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CSP, i.e.,&nbsp;Content Security Policy&nbsp;is a robust tool introduced to prevent attacks on your Magento 2 store that aims to offer an additional layer of defence&#8230;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-1716","post","type-post","status-publish","format-standard","hentry","category-magento"],"acf":[],"_links":{"self":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/comments?post=1716"}],"version-history":[{"count":9,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1716\/revisions"}],"predecessor-version":[{"id":14364,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1716\/revisions\/14364"}],"wp:attachment":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/media?parent=1716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/categories?post=1716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/tags?post=1716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}