Skip to content

CSP Module Issue in patch upgrade magento version 2.4.6-p6

ISSUE: Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com data: www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.avada.io js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.yotpo.com http://127.0.0.1/ *.aptrinsic.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-eWxoeXBpYW11OXVrbXdlbnp4cGh6cWx1Y3ZiemdtNGQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8='”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-A6CktM4r1NQCpDicl7xMeooXesWySEqXStbkj79JbAM=’), or a nonce (‘nonce-…’) is required to enable inline execution.

Issue Reference: https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/payments/admin-create-order-page-in-csp-restricted-mode

Tried CSP whitelist using csp_whitelist.xml file

<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
    <policies>
        <policy id="script-src">
            <value id="self">'self'</value>
            <value id="unsafe-inline">'unsafe-inline'</value>
            <value id="sha256-script-hash">'sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8='</value>
            <value id="google" type="host">*.google.com</value>
            <value id="g-static" type="host">*.gstatic.com</value>
            <value id="google-apis" type="host">*.googleapis.com</value>
            <value id="maxcdn" type="host">*.bootstrapcdn.com</value>
            <value id="fontawesome" type="host">*.fontawesome.com</value>
            <value id="data-script" type="host">'self' data:</value>
            <value id="relieffactor" type="host">*.relieffactor.com</value>  
            <value id="local" type="host">http://127.0.0.1/</value>           
        </policy>
        <policy id="style-src">
            <values>
                <!-- Google APIs -->
                <value id="google-apis" type="host">*.googleapis.com</value>
                <value id="maxcdn" type="host">*.bootstrapcdn.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="plyr" type="host">*.plyr.io</value>
                <value id="g-static" type="host">*.gstatic.com</value>
                <value id="data-style" type="host">'self' data:</value>
            </values>
        </policy>
        <policy id="img-src">
            <values>
                <!-- Data Scheme - Base64 Encoded Images -->
                <value id="data-image" type="host">'self' data:</value>
                <value id="g-static" type="host">*.gstatic.com</value>
            </values>
        </policy>
        <policy id="frame-src">
            <values>
                <value id="vimeo" type="host">*.vimeo.com</value>
            </values>
        </policy>
        <policy id="connect-src">
            <values>
                <!-- Google Analytics -->
                <value id="google-analytics" type="host">*.google-analytics.com</value>
            </values>
        </policy>
        <policy id="font-src">
            <values>
                <!-- G Static -->
                <value id="g-static" type="host">*.gstatic.com</value>
                <!-- Data Scheme - Base64 Encoded Fonts -->
                <value id="data-font" type="host">'self' data:</value>
                <value id="maxcdn" type="host">*.bootstrapcdn.com</value>

            </values>
        </policy>
        <policy id="frame-src">
            <values>
                <!-- Google -->
                <value id="google" type="host">*.google.com</value>
            </values>
        </policy>
         <policy id="base-uri">
            <values>
                <!-- G Static -->
                <value id="g-static" type="host">*.gstatic.com</value>
                <!-- Data Scheme - Base64 Encoded Fonts -->
                <value id="data-font" type="host">'self' data:</value>
                <value id="maxcdn" type="host">*.bootstrapcdn.com</value>

            </values>
        </policy>

    </policies>
</csp_whitelist>```

Please suggest any solution to skip CSP whitelist issue