Fixed: Content Security Policy Warnings in Magento 2

By |

Magento 2,

CSP, i.e., Content Security Policy is a robust tool introduced to prevent attacks on your Magento 2 store that aims to offer an additional layer of defence to detect and fight against Cross-Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. As of version Magento 2.3.5, it supports CSP headers and provides ways to configure them.

One can disable Magento 2 content security policy also. However, disabling CSP results in more possibilities of attacks on the store. Instead of blocking all third-party APIs completely, you can use the below solution and allow your selected third-party API as per your requirement.

CSP is implemented in Magento 2.3.5 with an aim to offer an additional layer of defence to detect and mitigate cross-site scripting and its related data injection attacks.

Method to Fix Content Security Policy Warnings in Magento 2:

You can use this solution to solve the warning shown below:

CSP warning

1. Create a csp_whitelist.xml file in Vendor\Extension\etc

You can add a domain to the whitelist for a policy like script-src, style-src, font-src and others by adding a csp_whitelist.xml to your custom module’s etc folder.

We have to pass a unique random id to the value field.

In the value tag, enter the domain which is mentioned in the warning.

2. Create a config.xml file in Vendor\Extension\etc

Content Security Policy works in two modes:

  1. report – only – Magento reports the policy violations but does not act upon it. It is mainly used for debugging. CSP works in this mode by default.
  2. restrict mode – Magento acts in the case of policy violations.

Here, we will use the default mode with zero value.

It’s an example of ‘script-src’ warning, you can use the below solution for such kind of similar warnings as per the above path and method.

  1. style-src:

  2. frame-src:

  3. connect-src:

  4. img-src:

  5. font-src:

You can solve any kind of CSP warning by following the above method.

Ways to Add Whitelisted Resources to Custom Code

The following table describes each type of CSP to configure it for your custom code/extension/theme

That’s it.Any doubts? If so, mention them in the Comments section below for me to help you out asap.Do share your thoughts on Magento CSP in the Comments section below.Also, I’d be grateful if you can help me spread the word about the post among Magento Community via social media.Thank You!

CSP Code & Description
CSP Code Description
default-src The default policy.
base-url Defines which URLs can appear in a page’s <base> element.
child-src Defines the sources for workers and embedded frame contents.
connect-src Defines the sources that can be loaded using script interfaces.
font-src Defines which sources can serve fonts.
form-action Defines valid endpoints for submission from

tags.
frame-ancestors Defines the sources that can embed the current page.
img-src Defines the sources from which images can be loaded.
manifest-src Defines the allowable contents of web app manifests.
media-src Defines the sources from which images can be loaded.
object-src  Defines the sources for the ,, and elements.

script-src  Defines the sources for JavaScript elements.
style-src  Defines the sources for stylesheets.

That’s it.

Any doubts? If so, mention them in the Comments section below for me to help you out asap.

Do share your thoughts on Magento CSP in the Comments section below.

Also, I’d be grateful if you can help me spread the word about the post among Magento Community via social media.

Thank You!

Hire Magento developer

Still need help? Hire our Adobe-certified Magento experts.

×

4.7
(based on 27 Reviews)
Fixed: Content Security Policy Warnings in Magento 2Author Magento Badge

Sanjay Jethva

Sanjay is the co-founder and CTO of Meetanshi with hands-on expertise with Magento since 2011. He specializes in complex development, integrations, extensions, and customizations. Sanjay is one the top 50 contributor to the Magento community and is recognized by Adobe.

His passion for Magento 2 and Shopify solutions has made him a trusted source for businesses seeking to optimize their online stores. He loves sharing technical solutions related to Magento 2 & Shopify.

8 Comments

  • Avatar
    Alex
    October 22, 2023 at 11:34 pm
    Reply

    Hi, how do I remove “The source list for the Content Security Policy directive ‘frame-src’ contains an invalid source: ‘data:text’. It will be ignored.” it’s blocking my google map to be rendered.

  • Avatar
    harish
    March 28, 2022 at 5:43 pm
    Reply

    Hii
    How to fix The Content-Security-Policy directive ‘frame-ancestors’ does not support the source expression ”unsafe-inline”
    also The Content Security Policy directive ‘report-uri’ specifies as endpoint ”. This endpoint will be ignored since it violates the policy for Mixed Content.

  • Avatar
    Pawel
    January 18, 2022 at 11:25 pm
    Reply

    Hi,

    How do I bite “The Content-Security-Policy directive ‘frame-ancestors’ does not support the source expression ”unsafe-inline”
    jquery-3.1.1.min.js:3 ” when I’m logged in the admin panel?

    Pawel

    • Sanjay Jethva
      Sanjay Jethva
      January 19, 2022 at 11:37 am
      Reply

      Hello Pawel,
      Use the below code in etc/config.xml file
      <admin>
      <frame-ancestors>
      <inline>0</inline> </frame-ancestors> </admin> Thank You

  • Avatar
    Steve
    July 10, 2021 at 12:04 am
    Reply

    So where should we these files to? I didnt see a VendorExtension path?

    • Sanjay Jethva
      Sanjay Jethva
      July 14, 2021 at 5:59 pm
      Reply

      Hello Steve,
      VendorExtension resides in app/code.
      for example Meetanshi_Csp is a extension inside app/code directory
      so for us vendor = Meetanshi and Extension = Csp
      Thank You.

Leave a Reply

Your email address will not be published. Required fields are marked *