Skip to content

Magento 2.4.7 – CSP Assistance needed with inline script errors

This is a follow up to this question: Magento 2.4.7 – Advice setting up csp
I have set-up/configured a custom csp module. This is the current csp_whitelist.xml:

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="default-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="base-uri">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="font-src">
            <values>
                <value id="data" type="host">'self' data: https://maxcdn.bootstrapcdn.com</value>
                <value id="bootstrapcdn" type="host">*.bootstrapcdn.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="googleapis" type="host">*.googleapis.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
            </values>
        </policy>
        <policy id="style-src">
            <values>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
                <value id="data" type="host">'report-sample'</value>
                <value id="data2" type="host">'self'</value>
                <value id="data3" type="host">'unsafe-inline'</value>
                <value id="data4" type="host">https://maxcdn.bootstrapcdn.com</value>
                <value id="bootstrapcdn" type="host">*.bootstrapcdn.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="google-apis" type="host">*.googleapis.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
            </values>
        </policy>
        <policy id="img-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="adobedtm-assets" type="host">assets.adobedtm.com</value>
                <value id="adobedtm-all" type="host">*.adobedtm.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="googleadservices" type="host">*.googleadservices.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="vimeocdn" type="host">*.vimeocdn.com</value>
            </values>
        </policy>
        <policy id="connect-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="google-maps" type="host">'self' https://maps.googleapis.com</value>
            </values>
        </policy>
        <policy id="frame-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="stripe" type="host">https://js.stripe.com</value>
                <value id="google" type="host">*.google.com</value>
            </values>
        </policy>
        <policy id="script-src">
            <values>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
                <value id="report-sample" type="host">'report-sample'</value>
                <value id="self" type="host">'self'</value>
                <value id="unsafe-eval" type="host">'unsafe-eval'</value>
                <value id="unsafe-hashes" type="host">'unsafe-hashes'</value>
                <value id="unsafe-inline" type="host">'unsafe-inline'</value>
                <value id="adobedtm-assets" type="host">assets.adobedtm.com</value>
                <value id="adobedtm-all" type="host">*.adobedtm.com</value>
                <value id="adobe" type="host">*.adobe.com</value>
                <value id="avada" type="host">*.avada.io</value>
                <value id="amcglobal" type="host">amcglobal.sc.omtrdc.net</value>
                <value id="braintree-api" type="host">api.braintreegateway.com</value>
                <value id="braintree-sandbox" type="host">api.sandbox.braintreegateway.com</value>
                <value id="braintree-analytics" type="host">client-analytics.braintreegateway.com</value>
                <value id="braintree-analytics-sand" type="host">client-analytics.sandbox.braintreegateway.com</value>
                <value id="braintree-js" type="host">js.braintreegateway.com</value>
                <value id="braintree-assets" type="host">assets.braintreegateway.com</value>
                <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
                <value id="cardinalcommerce2" type="host">1eafstag.cardinalcommerce.com</value>
                <value id="cardinalcommerce3" type="host">geoapi.cardinalcommerce.com</value>
                <value id="cardinalcommerce4" type="host">1eafapi.cardinalcommerce.com</value>
                <value id="cardinalcommerce5" type="host">songbird.cardinalcommerce.com</value>
                <value id="cardinalcommerce6" type="host">*.cardinalcommerce.com</value>
                <value id="cardinalcommerce7" type="host">songbirdstag.cardinalcommerce.com</value>
                <value id="commerce-payment8" type="host">*.commerce-payment-services.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="google-pay" type="host">pay.google.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="google-analytics2" type="host">www.google-analytics.com</value>
                <value id="google-analytics3" type="host">analytics.google.com</value>
                <value id="google-analytics4" type="host">analytics.google.com</value>
                <value id="googletagmanager" type="host">googletagmanager.com</value>
                <value id="googletagmanager2" type="host">www.googletagmanager.com</value>
                <value id="googletagmanager3" type="host">*.googletagmanager.com</value>
                <value id="google-apis" type="host">apis.google.com</value>
                <value id="google-apis2" type="host">*.googleapis.com</value>
                <value id="google-apis3" type="host">www.googleapis.com</value>
                <value id="google-ads" type="host">www.googleadservices.com</value>
                <value id="google-ads2" type="host">googleads.g.doubleclick.net</value>
                <value id="google-ads3" type="host">*.googleadservices.com</value>
                <value id="google-ads4" type="host">googleads.g.doubleclick.net</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="google-recaptcha" type="host">https://www.gstatic.com/recaptcha/</value>
                <value id="google-recaptcha2" type="host">https://www.google.com/recaptcha/</value>
                <value id="google-recaptcha3" type="host">www.google.com/recaptcha/</value>
                <value id="google-recaptcha4" type="host">www.gstatic.com/recaptcha/</value>
                <value id="google-recaptcha5" type="host">https://www.gstatic.com/recaptcha</value>
                <value id="google-recaptcha6" type="host">https://www.google.com/recaptcha</value>
                <value id="google" type="host">google.com</value>
                <value id="google2" type="host">*.google.com</value>
                <value id="google3" type="host">*.google.com/</value>
                <value id="google-maps" type="host">https://maps.googleapis.com/maps/api/js</value>
                <value id="includestest" type="host">includestest.ccdc02.com</value>
                <value id="instagram" type="host">*.instagram.com</value>
                <value id="klarna" type="host">klarna.com</value>
                <value id="klarna2" type="host">*.klarna.com</value>
                <value id="klarna3" type="host">*.klarnacdn.net</value>
                <value id="klarna4" type="host">*.klarnaevt.com</value>
                <value id="magento-ds" type="host">*.magento-ds.com</value>
                <value id="newrelic" type="host">*.newrelic.com</value>
                <value id="nr-data" type="host">*.nr-data.net</value>
                <value id="paypal" type="host">www.paypal.com</value>
                <value id="paypal-objects" type="host">www.paypalobjects.com</value>
                <value id="paypal-objects2" type="host">*.paypalobjects.com</value>
                <value id="paypal-t" type="host">t.paypal.com</value>
                <value id="paypal-c" type="host">c.paypal.com</value>
                <value id="paypal-all" type="host">*.paypal.com</value>
                <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
                <value id="paypal-sandbox2" type="host">sandbox.paypal.com</value>
                <value id="paypal-sandbox3" type="host">*.sandbox.paypal.com</value>
                <value id="paypal-t2" type="host">t.paypal.com</value>
                <value id="stripe-js" type="host">https://js.stripe.com/v3/</value>
                <value id="stripe-all" type="host">*.stripe.com</value>
                <value id="stripe-link" type="host">*.link.com</value>
                <value id="typekit" type="host">*.typekit.net</value>
                <value id="typekit2" type="host">use.typekit.net</value>
                <value id="vimeo" type="host">*.vimeo.com</value>
                <value id="vimeo2" type="host">www.vimeo.com</value>
                <value id="vimeo3" type="host">*.vimeocdn.com</value>
                <value id="youtube" type="host">*.youtube.com</value>
                <value id="ytimg" type="host">s.ytimg.com</value>
            </values>
        </policy>
        <policy id="media-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="manifest-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="object-src">
            <values>
                <value id="data" type="host">'none'</value>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
            </values>
        </policy>
        <policy id="worker-src">
            <values>
                <value id="data" type="host">'none'</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

I need assistance with stopping the following console errors (I have another 8 similar):

Refused to execute inline script because it violates the following
Content Security Policy directive: “script-src assets.adobedtm.com
*.adobe.com googleads.g.doubleclick.net analytics.google.com *.newrelic.com *.nr-data.net
geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com
geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com
songbird.cardinalcommerce.com includestest.ccdc02.com
t.paypal.com s.ytimg.com *.vimeo.com *.vimeocdn.com
*.youtube.com *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com
api.braintreegateway.com api.sandbox.braintreegateway.com
client-analytics.braintreegateway.com
client-analytics.sandbox.braintreegateway.com *.paypal.com
songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com
*.instagram.com ‘report-sample’ ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘unsafe-inline’ *.adobedtm.com *.avada.io
*.cardinalcommerce.com *.cloudflare.com *.google-analytics.com googletagmanager.com *.googletagmanager.com apis.google.com
*.googleadservices.com *.google.com/ klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.paypalobjects.com sandbox.paypal.com *.sandbox.paypal.com *.stripe.com *.link.com
‘self’ ‘unsafe-eval’ ‘unsafe-hashes’
‘nonce-b243ZGoxZTNxcW83MHFsZzY3dGgxcnNmOXlweGtnY2Q=’
‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’
‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’
‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’
‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’
‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’
‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’
local.adguard.org ‘nonce-5f7358088e0046b0b925f4cfd5b'”. Note that
‘unsafe-inline’ is ignored if either a hash or nonce value is present
in the source list.

I have added the sha256 values to the whitelist but this has not stopped the console errors. What am I doing wrong please?