Magento – Magento 2.3.5 Content Security Policy directive: “img-src

magento2.3.5Security

Upgrade to 2.3.5 and now getting this error bellow thought out the site on every page:

[Report Only] Refused to load the image
'blob:http://my.domayn.com/axxxxxxxxxxxx' because it violates the
following Content Security Policy directive: "img-src
widgets.magentocommerce.com www.googleadservices.com
www.google-analytics.com t.paypal.com www.paypal.com
www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com
*.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'".

Is anyone facing the same issue?

Best Answer

As of version 2.3.5, Magento supports Content Security Policy headers and provides ways to configure them.

Content Security Policies (CSP) are a powerful tool to mitigate against Cross Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more.

By default, Content Security Policiy is configured in report-only mode, which allows merchants and developers to configure policies to work according to their custom code.

Your browser is not showing a Magento 2 error, it is reporting a CSP policy violation

You can configure your own custom CSP rules by adding a csp_whitelist.xml to a custom module etc folder.

You can find more information on how to do this here.

https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

To completely disable CSP you can also try

bin/magento module:disable Magento_Csp

Best Answer

Related Solutions

Magento – Magento 2.1.1 – Improve security with Content Security Policy

Magento 2.3.5 Upgrade – Fix Content Security Policy False Positive CDN Fonts

etc/csp_whitelist.xml

pros:

cons:

this is the recommended way by Magento

etc/config.xml

pros:

cons:

Implement custom policy collector

pros:

cons:

Related Topic