Skip to content

Magento CSP csp_whitelist.xml but there are still violations remaining

I recently got my hands on magento_csp feature but I am not sure if I understood it correctly yet.

I have created a custom modul which purpose is like a centralized summary of csp entries.

app/code/Vendor/Modul/etc/csp_whitelist.xml

<?xml version="1.0" encoding="UTF-8"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
  <policies>
    <policy id="font-src">
      <values>
        <value id="klarnacdn" type="host">*.klarnacdn.net</value>
        <value id="fontawesome" type="host">*.fontawesome.com</value>
        <value id="gstatic" type="host">*.gstatic.com</value>
        <value id="self" type="host">'self'</value>
        <value id="data" type="host">data:</value>
      </values>
    </policy>
    <policy id="form-action">
      <values>
        <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
        <value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
        <value id="paypal" type="host">www.paypal.com</value>
        <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
        <value id="adyen" type="host">*.adyen.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="frame-ancestors">
      <values>
        <value id="self" type="host">'self'</value>
      </values>
    </policy>
    <policy id="frame-src">
      <values>
        <value id="amc-demdex" type="host">fast.amc.demdex.net</value>
        <value id="adobe" type="host">*.adobe.com</value>
        <value id="doubleclick" type="host">bid.g.doubleclick.net</value>
        <value id="youtube" type="host">*.youtube.com</value>
        <value id="youtube-nocookie" type="host">*.youtube-nocookie.com</value>
        <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
        <value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
        <value id="paypal" type="host">www.paypal.com</value>
        <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
        <value id="payflow" type="host">pilot-payflowlink.paypal.com</value>
        <value id="vimeo" type="host">player.vimeo.com</value>
        <value id="google" type="host">*.google.com</value>
        <value id="adyen" type="host">*.adyen.com</value>
        <value id="klarna" type="host">*.klarna.com</value>
        <value id="google-de" type="host">*.google.de</value>
        <value id="doubleclick-net" type="host">*.doubleclick.net</value>
        <value id="googlesyndication" type="host">*.googlesyndication.com</value>
        <value id="googletagservices" type="host">*.googletagservices.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="img-src">
      <values>
        <value id="adobedtm" type="host">assets.adobedtm.com</value>
        <value id="omtrdc" type="host">amcglobal.sc.omtrdc.net</value>
        <value id="demdex" type="host">dpm.demdex.net</value>
        <value id="everesttech" type="host">cm.everesttech.net</value>
        <value id="adobe" type="host">*.adobe.com</value>
        <value id="magento-widgets" type="host">widgets.magentocommerce.com</value>
        <value id="data" type="host">data:</value>
        <value id="google-ads" type="host">www.googleadservices.com</value>
        <value id="google-analytics" type="host">www.google-analytics.com</value>
        <value id="doubleclick" type="host">googleads.g.doubleclick.net</value>
        <value id="google" type="host">www.google.com</value>
        <value id="bid-doubleclick" type="host">bid.g.doubleclick.net</value>
        <value id="analytics-google" type="host">analytics.google.com</value>
        <value id="googletagmanager" type="host">www.googletagmanager.com</value>
        <value id="ftcdn" type="host">*.ftcdn.net</value>
        <value id="behance" type="host">*.behance.net</value>
        <value id="t-paypal" type="host">t.paypal.com</value>
        <value id="paypal" type="host">www.paypal.com</value>
        <value id="paypal-objects" type="host">www.paypalobjects.com</value>
        <value id="paypal-fpdbs" type="host">fpdbs.paypal.com</value>
        <value id="paypal-sandbox" type="host">fpdbs.sandbox.paypal.com</value>
        <value id="vimeocdn" type="host">*.vimeocdn.com</value>
        <value id="youtube-img" type="host">i.ytimg.com</value>
        <value id="youtube" type="host">*.youtube.com</value>
        <value id="swagger" type="host">validator.swagger.io</value>
        <value id="adyen" type="host">*.adyen.com</value>
        <value id="unsplash" type="host">https://images.unsplash.com</value>
        <value id="klarna" type="host">*.klarna.com</value>
        <value id="klarnaevt" type="host">*.klarnaevt.com</value>
        <value id="klarnacdn" type="host">*.klarnacdn.net</value>
        <value id="google-de" type="host">www.google.de</value>
        <value id="googletagmanager-com" type="host">*.googletagmanager.com</value>
        <value id="doubleclick-net" type="host">*.doubleclick.net</value>
        <value id="google-com" type="host">*.google.com</value>
        <value id="googlesyndication" type="host">*.googlesyndication.com</value>
        <value id="googletagservices" type="host">*.googletagservices.com</value>
        <value id="googleadservices" type="host">*.googleadservices.com</value>
        <value id="paypal" type="host">*.paypal.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="script-src">
      <values>
        <value id="adobedtm" type="host">assets.adobedtm.com</value>
        <value id="adobe" type="host">*.adobe.com</value>
        <value id="google-ads" type="host">www.googleadservices.com</value>
        <value id="google-analytics" type="host">www.google-analytics.com</value>
        <value id="doubleclick" type="host">googleads.g.doubleclick.net</value>
        <value id="analytics-google" type="host">analytics.google.com</value>
        <value id="googletagmanager" type="host">www.googletagmanager.com</value>
        <value id="newrelic" type="host">*.newrelic.com</value>
        <value id="nr-data" type="host">*.nr-data.net</value>
        <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-api" type="host">geoapi.cardinalcommerce.com</value>
        <value id="cardinalcommerce-api2" type="host">1eafapi.cardinalcommerce.com</value>
        <value id="cardinalcommerce-songbird" type="host">songbird.cardinalcommerce.com</value>
        <value id="ccdc02" type="host">includestest.ccdc02.com</value>
        <value id="paypal" type="host">www.paypal.com</value>
        <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
        <value id="paypal-objects" type="host">www.paypalobjects.com</value>
        <value id="t-paypal" type="host">t.paypal.com</value>
        <value id="s-youtube" type="host">s.ytimg.com</value>
        <value id="googleapis" type="host">www.googleapis.com</value>
        <value id="vimeo" type="host">vimeo.com</value>
        <value id="vimeo-www" type="host">www.vimeo.com</value>
        <value id="vimeocdn" type="host">*.vimeocdn.com</value>
        <value id="youtube" type="host">*.youtube.com</value>
        <value id="gstatic" type="host">https://www.gstatic.com/recaptcha/</value>
        <value id="google" type="host">*.google.com</value>
        <value id="adyen" type="host">*.adyen.com</value>
        <value id="freshworks" type="host">widget.freshworks.com</value>
        <value id="freshdesk" type="host">m2epro.freshdesk.com</value>
        <value id="klarna" type="host">*.klarna.com</value>
        <value id="klarnacdn" type="host">*.klarnacdn.net</value>
        <value id="klarnaservices" type="host">*.klarnaservices.com</value>
        <value id="avada" type="host">*.avada.io</value>
        <value id="google-analytics2" type="host">https://www.google-analytics.com</value>
        <value id="bing" type="host">https://bat.bing.com</value>
        <value id="google-de" type="host">www.google.de</value>
        <value id="googletagmanager-com" type="host">*.googletagmanager.com</value>
        <value id="doubleclick-net" type="host">*.doubleclick.net</value>
        <value id="googlesyndication" type="host">*.googlesyndication.com</value>
        <value id="googletagservices" type="host">*.googletagservices.com</value>
        <value id="googleadservices" type="host">*.googleadservices.com</value>
        <value id="gstatic" type="host">*.gstatic.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
        <value id="unsafe-eval" type="host">'unsafe-eval'</value>
      </values>
    </policy>
    <policy id="style-src">
      <values>
        <value id="adobe" type="host">*.adobe.com</value>
        <value id="freshworks" type="host">widget.freshworks.com</value>
        <value id="freshdesk" type="host">m2epro.freshdesk.com</value>
        <value id="klarnacdn" type="host">*.klarnacdn.net</value>
        <value id="fontawesome" type="host">*.fontawesome.com</value>
        <value id="googleapis" type="host">*.googleapis.com</value>
        <value id="gstatic" type="host">*.gstatic.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="object-src">
      <values>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="media-src">
      <values>
        <value id="adobe" type="host">*.adobe.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="manifest-src">
      <values>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="connect-src">
      <values>
        <value id="demdex" type="host">dpm.demdex.net</value>
        <value id="omtrdc" type="host">amcglobal.sc.omtrdc.net</value>
        <value id="google-analytics" type="host">www.google-analytics.com</value>
        <value id="google-ads" type="host">www.googleadservices.com</value>
        <value id="analytics-google" type="host">analytics.google.com</value>
        <value id="googletagmanager" type="host">www.googletagmanager.com</value>
        <value id="newrelic" type="host">*.newrelic.com</value>
        <value id="nr-data" type="host">*.nr-data.net</value>
        <value id="vimeo" type="host">vimeo.com</value>
        <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-geo" type="host">geo.cardinalcommerce.com</value>
        <value id="cardinalcommerce-stag" type="host">1eafstag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-api" type="host">1eaf.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinel" type="host">centinelapistag.cardinalcommerce.com</value>
        <value id="cardinalcommerce-centinelapi" type="host">centinelapi.cardinalcommerce.com</value>
        <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
        <value id="paypal-objects" type="host">www.paypalobjects.com</value>
        <value id="paypal" type="host">www.paypal.com</value>
        <value id="payflow" type="host">pilot-payflowlink.paypal.com</value>
        <value id="adyen" type="host">*.adyen.com</value>
        <value id="freshworks" type="host">widget.freshworks.com</value>
        <value id="freshdesk" type="host">m2epro.freshdesk.com</value>
        <value id="klarnaevt" type="host">*.klarnaevt.com</value>
        <value id="klarnacdn" type="host">*.klarnacdn.net</value>
        <value id="klarna" type="host">*.klarna.com</value>
        <value id="klarnaservices" type="host">*.klarnaservices.com</value>
        <value id="geojs" type="host">https://get.geojs.io</value>
        <value id="avada" type="host">*.avada.io</value>
        <value id="doubleclick" type="host">*.doubleclick.net</value>
        <value id="google" type="host">*.google.com</value>
        <value id="googlesyndication" type="host">*.googlesyndication.com</value>
        <value id="googletagservices" type="host">*.googletagservices.com</value>
        <value id="google-analytics2" type="host">*.google-analytics.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
    <policy id="child-src">
      <values>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
        <value id="http" type="host">http:</value>
        <value id="https" type="host">https:</value>
        <value id="blob" type="host">blob:</value>
      </values>
    </policy>
    <policy id="default-src">
      <values>
        <value id="googleapis" type="host">*.googleapis.com</value>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
        <value id="unsafe-eval" type="host">'unsafe-eval'</value>
      </values>
    </policy>
    <policy id="base-uri">
      <values>
        <value id="self" type="host">'self'</value>
        <value id="unsafe-inline" type="host">'unsafe-inline'</value>
      </values>
    </policy>
  </policies>
</csp_whitelist>

As you can see I have collected a lot of entries yet.

Now there are still two problems which let me in a confused state.

  • I mainly use Brave to browse and within the developer console I dont
    see any violations.

  • Inspecting the site in safari still shows many errors.

Safari developer console

Now I wonder if there is something crucial I have missed or is it normal that there are still some errors remaining in the developer console ?