In regarding to CSP I create own csp_whitelist, but still I am getting:
The Content Security Policy 'font-src 'self' 'unsafe-inline';
form-action secure.authorize.net test.authorize.net
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline';
frame-src secure.authorize.net test.authorize.net
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
www.paypal.com www.sandbox.paypal.com https://js.stripe.com/
https://www.googletagmanager.com/ https://www.google.com/ 'self'
'unsafe-inline'; img-src widgets.magentocommerce.com
www.googleadservices.com www.google-analytics.com t.paypal.com
www.paypal.com www.paypalobjects.com fpdbs.paypal.com
fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com
https://stats.g.doubleclick.net/ data: 'self' 'unsafe-inline';
script-src assets.adobedtm.com js.authorize.net jstest.authorize.net
secure.authorize.net test.authorize.net geostag.cardinalcommerce.com
1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com
1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com
includestest.ccdc02.com www.googleadservices.com
www.google-analytics.com www.paypal.com www.sandbox.paypal.com
www.paypalobjects.com t.paypal.com js.braintreegateway.com s.ytimg.com
video.google.com vimeo.com www.vimeo.com cdn-scripts.signifyd.com
www.youtube.com https://js.stripe.com/v3/
https://www.googletagmanager.com/gtm.js
https://www.google.com/recaptcha/api.js https://www.gstatic.com/
'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self'
'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self'
'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src
'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'
'unsafe-inline';' was delivered in report-only mode, but does not
specify a 'report-uri'; the policy will have no effect. Please either
add a 'report-uri' directive, or deliver the policy via the
'Content-Security-Policy' header.
Can I fix it using csp_whitelist.xml?
Edit:
I tried to add some those domains as host to font-src, but it doesnt solve issue. I mean, domains didn`t disappear from warning
.
EDIT && Solutions:
For issue I wrote here (The Content Security Policy 'font-src 'self' 'unsafe-inline';
). It is enough to set up report_uri
in Your csp_whitelist.xml
file.
For issue with data:xxx
is enough to add
<policy id="font-src"> <values> <value id="data" type="host">data:</value> </values> </policy>
to Your csp_whitelist.xml
file.
Of course You should add data:
policy depends on scope where You have problem (policy id should be changed for example to img-src etc).
It is necessary to set is as host
, cause right now Magento doesn`t read any other types.
Best Answer
At the end of the console report, it says:
"...was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header."
This is not saying that the the domain values for each of the listed policies are not whitelisted, they are by default (this error made me believe they weren't until I really looked at it closer). It's saying that there is no
report-uri
directive.From the devdocs, it says:
Regardless of restrict or report-only mode, CSP violations may be reported to an endpoint for collection. The URL to use for reporting by browsers can be configured in your custom module’s config.xml file:
By default, CSP sends errors to the browser console, but can be configured to collect error logs by HTTP request. In addition, there are a number of third-party services that you can use to monitor, collect, and report CSP violations. So, either configure it to be reported to the error logs by https request, or create a custom module and configure the report_uri directive with the CSP reporting service of your liking. https://devdocs.magento.com/security/content-security-policy-overview.html