I recently got my hands on magento_csp feature but I am not sure if I understood it correctly yet.
I have created a custom modul which purpose is like a centralized summary of csp entries.
app/code/Vendor/Modul/etc/csp_whitelist.xml
<?xml version="1.0" encoding="UTF-8"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
<policies>
<policy id="font-src">
<values>
<value id="klarnacdn" type="host">*.klarnacdn.net</value>
<value id="fontawesome" type="host">*.fontawesome.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="self" type="host">'self'</value>
<value id="data" type="host">data:</value>
</values>
</policy>
<policy id="form-action">
<values>
<value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
<value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
<value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
<value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
<value id="paypal" type="host">www.paypal.com</value>
<value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
<value id="adyen" type="host">*.adyen.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="frame-ancestors">
<values>
<value id="self" type="host">'self'</value>
</values>
</policy>
<policy id="frame-src">
<values>
<value id="amc-demdex" type="host">fast.amc.demdex.net</value>
<value id="adobe" type="host">*.adobe.com</value>
<value id="doubleclick" type="host">bid.g.doubleclick.net</value>
<value id="youtube" type="host">*.youtube.com</value>
<value id="youtube-nocookie" type="host">*.youtube-nocookie.com</value>
<value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
<value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
<value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
<value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
<value id="paypal" type="host">www.paypal.com</value>
<value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
<value id="payflow" type="host">pilot-payflowlink.paypal.com</value>
<value id="vimeo" type="host">player.vimeo.com</value>
<value id="google" type="host">*.google.com</value>
<value id="adyen" type="host">*.adyen.com</value>
<value id="klarna" type="host">*.klarna.com</value>
<value id="google-de" type="host">*.google.de</value>
<value id="doubleclick-net" type="host">*.doubleclick.net</value>
<value id="googlesyndication" type="host">*.googlesyndication.com</value>
<value id="googletagservices" type="host">*.googletagservices.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="img-src">
<values>
<value id="adobedtm" type="host">assets.adobedtm.com</value>
<value id="omtrdc" type="host">amcglobal.sc.omtrdc.net</value>
<value id="demdex" type="host">dpm.demdex.net</value>
<value id="everesttech" type="host">cm.everesttech.net</value>
<value id="adobe" type="host">*.adobe.com</value>
<value id="magento-widgets" type="host">widgets.magentocommerce.com</value>
<value id="data" type="host">data:</value>
<value id="google-ads" type="host">www.googleadservices.com</value>
<value id="google-analytics" type="host">www.google-analytics.com</value>
<value id="doubleclick" type="host">googleads.g.doubleclick.net</value>
<value id="google" type="host">www.google.com</value>
<value id="bid-doubleclick" type="host">bid.g.doubleclick.net</value>
<value id="analytics-google" type="host">analytics.google.com</value>
<value id="googletagmanager" type="host">www.googletagmanager.com</value>
<value id="ftcdn" type="host">*.ftcdn.net</value>
<value id="behance" type="host">*.behance.net</value>
<value id="t-paypal" type="host">t.paypal.com</value>
<value id="paypal" type="host">www.paypal.com</value>
<value id="paypal-objects" type="host">www.paypalobjects.com</value>
<value id="paypal-fpdbs" type="host">fpdbs.paypal.com</value>
<value id="paypal-sandbox" type="host">fpdbs.sandbox.paypal.com</value>
<value id="vimeocdn" type="host">*.vimeocdn.com</value>
<value id="youtube-img" type="host">i.ytimg.com</value>
<value id="youtube" type="host">*.youtube.com</value>
<value id="swagger" type="host">validator.swagger.io</value>
<value id="adyen" type="host">*.adyen.com</value>
<value id="unsplash" type="host">https://images.unsplash.com</value>
<value id="klarna" type="host">*.klarna.com</value>
<value id="klarnaevt" type="host">*.klarnaevt.com</value>
<value id="klarnacdn" type="host">*.klarnacdn.net</value>
<value id="google-de" type="host">www.google.de</value>
<value id="googletagmanager-com" type="host">*.googletagmanager.com</value>
<value id="doubleclick-net" type="host">*.doubleclick.net</value>
<value id="google-com" type="host">*.google.com</value>
<value id="googlesyndication" type="host">*.googlesyndication.com</value>
<value id="googletagservices" type="host">*.googletagservices.com</value>
<value id="googleadservices" type="host">*.googleadservices.com</value>
<value id="paypal" type="host">*.paypal.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="script-src">
<values>
<value id="adobedtm" type="host">assets.adobedtm.com</value>
<value id="adobe" type="host">*.adobe.com</value>
<value id="google-ads" type="host">www.googleadservices.com</value>
<value id="google-analytics" type="host">www.google-analytics.com</value>
<value id="doubleclick" type="host">googleads.g.doubleclick.net</value>
<value id="analytics-google" type="host">analytics.google.com</value>
<value id="googletagmanager" type="host">www.googletagmanager.com</value>
<value id="newrelic" type="host">*.newrelic.com</value>
<value id="nr-data" type="host">*.nr-data.net</value>
<value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
<value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
<value id="cardinalcommerce-api" type="host">geoapi.cardinalcommerce.com</value>
<value id="cardinalcommerce-api2" type="host">1eafapi.cardinalcommerce.com</value>
<value id="cardinalcommerce-songbird" type="host">songbird.cardinalcommerce.com</value>
<value id="ccdc02" type="host">includestest.ccdc02.com</value>
<value id="paypal" type="host">www.paypal.com</value>
<value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
<value id="paypal-objects" type="host">www.paypalobjects.com</value>
<value id="t-paypal" type="host">t.paypal.com</value>
<value id="s-youtube" type="host">s.ytimg.com</value>
<value id="googleapis" type="host">www.googleapis.com</value>
<value id="vimeo" type="host">vimeo.com</value>
<value id="vimeo-www" type="host">www.vimeo.com</value>
<value id="vimeocdn" type="host">*.vimeocdn.com</value>
<value id="youtube" type="host">*.youtube.com</value>
<value id="gstatic" type="host">https://www.gstatic.com/recaptcha/</value>
<value id="google" type="host">*.google.com</value>
<value id="adyen" type="host">*.adyen.com</value>
<value id="freshworks" type="host">widget.freshworks.com</value>
<value id="freshdesk" type="host">m2epro.freshdesk.com</value>
<value id="klarna" type="host">*.klarna.com</value>
<value id="klarnacdn" type="host">*.klarnacdn.net</value>
<value id="klarnaservices" type="host">*.klarnaservices.com</value>
<value id="avada" type="host">*.avada.io</value>
<value id="google-analytics2" type="host">https://www.google-analytics.com</value>
<value id="bing" type="host">https://bat.bing.com</value>
<value id="google-de" type="host">www.google.de</value>
<value id="googletagmanager-com" type="host">*.googletagmanager.com</value>
<value id="doubleclick-net" type="host">*.doubleclick.net</value>
<value id="googlesyndication" type="host">*.googlesyndication.com</value>
<value id="googletagservices" type="host">*.googletagservices.com</value>
<value id="googleadservices" type="host">*.googleadservices.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
<value id="unsafe-eval" type="host">'unsafe-eval'</value>
</values>
</policy>
<policy id="style-src">
<values>
<value id="adobe" type="host">*.adobe.com</value>
<value id="freshworks" type="host">widget.freshworks.com</value>
<value id="freshdesk" type="host">m2epro.freshdesk.com</value>
<value id="klarnacdn" type="host">*.klarnacdn.net</value>
<value id="fontawesome" type="host">*.fontawesome.com</value>
<value id="googleapis" type="host">*.googleapis.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="object-src">
<values>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="media-src">
<values>
<value id="adobe" type="host">*.adobe.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="manifest-src">
<values>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="connect-src">
<values>
<value id="demdex" type="host">dpm.demdex.net</value>
<value id="omtrdc" type="host">amcglobal.sc.omtrdc.net</value>
<value id="google-analytics" type="host">www.google-analytics.com</value>
<value id="google-ads" type="host">www.googleadservices.com</value>
<value id="analytics-google" type="host">analytics.google.com</value>
<value id="googletagmanager" type="host">www.googletagmanager.com</value>
<value id="newrelic" type="host">*.newrelic.com</value>
<value id="nr-data" type="host">*.nr-data.net</value>
<value id="vimeo" type="host">vimeo.com</value>
<value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
<value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
<value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
<value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
<value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
<value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
<value id="paypal-objects" type="host">www.paypalobjects.com</value>
<value id="paypal" type="host">www.paypal.com</value>
<value id="payflow" type="host">pilot-payflowlink.paypal.com</value>
<value id="adyen" type="host">*.adyen.com</value>
<value id="freshworks" type="host">widget.freshworks.com</value>
<value id="freshdesk" type="host">m2epro.freshdesk.com</value>
<value id="klarnaevt" type="host">*.klarnaevt.com</value>
<value id="klarnacdn" type="host">*.klarnacdn.net</value>
<value id="klarna" type="host">*.klarna.com</value>
<value id="klarnaservices" type="host">*.klarnaservices.com</value>
<value id="geojs" type="host">https://get.geojs.io</value>
<value id="avada" type="host">*.avada.io</value>
<value id="doubleclick" type="host">*.doubleclick.net</value>
<value id="google" type="host">*.google.com</value>
<value id="googlesyndication" type="host">*.googlesyndication.com</value>
<value id="googletagservices" type="host">*.googletagservices.com</value>
<value id="google-analytics2" type="host">*.google-analytics.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
<policy id="child-src">
<values>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
<value id="http" type="host">http:</value>
<value id="https" type="host">https:</value>
<value id="blob" type="host">blob:</value>
</values>
</policy>
<policy id="default-src">
<values>
<value id="googleapis" type="host">*.googleapis.com</value>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
<value id="unsafe-eval" type="host">'unsafe-eval'</value>
</values>
</policy>
<policy id="base-uri">
<values>
<value id="self" type="host">'self'</value>
<value id="unsafe-inline" type="host">'unsafe-inline'</value>
</values>
</policy>
</policies>
</csp_whitelist>
As you can see I have collected a lot of entries yet.
Now there are still two problems which let me in a confused state.
-
I mainly use Brave to browse and within the developer console I dont
see any violations. -
Inspecting the site in safari still shows many errors.
Now I wonder if there is something crucial I have missed or is it normal that there are still some errors remaining in the developer console ?