I am trying to get my head around csp after upgrading Magento to 2.4.7. Prior to this, it was disabled. I have installed a custom module successfully and added a csp_whitelist.xml file with the following that I copied off a whitelist on github:
<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
<policies>
<policy id="font-src">
<values>
<value id="cloudflare" type="host">*.cloudflare.com</value>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="typekit" type="host">*.typekit.net</value>
<value id="googleapis" type="host">*.googleapis.com</value>
<value id="fontawesome" type="host">*.fontawesome.com</value>
<value id="fontawesomecdn" type="host">*.bootstrapcdn.com</value>
</values>
</policy>
<policy id="style-src">
<values>
<value id="cloudflare" type="host">*.cloudflare.com</value>
<value id="googleapis" type="host">*.googleapis.com</value>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="typekit" type="host">*.typekit.net</value>
<value id="fontawesome" type="host">*.fontawesome.com</value>
<value id="fontawesomecdn" type="host">*.bootstrapcdn.com</value>
</values>
</policy>
<policy id="img-src">
<values>
<value id="cloudflare" type="host">*.cloudflare.com</value>
<value id="googleadservices" type="host">*.googleadservices.com</value>
<value id="google-analytics" type="host">*.google-analytics.com</value>
<value id="paypal" type="host">*.paypal.com</value>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="vimeocdn" type="host">*.vimeocdn.com</value>
<value id="data" type="host">'self' data:</value>
</values>
</policy>
<policy id="connect-src">
<values>
<value id="cloudflare" type="host">*.cloudflare.com</value>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="paypal" type="host">*.paypal.com</value>
</values>
</policy>
<policy id="frame-src">
<values>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="google.com" type="host">*.google.com</value>
</values>
</policy>
<policy id="script-src">
<values>
<value id="cloudflare" type="host">*.cloudflare.com</value>
<value id="twitter.com" type="host">*.twitter.com</value>
<value id="google-analytics" type="host">*.google-analytics.com</value>
<value id="googletagmanager.com" type="host">googletagmanager.com</value>
<value id="google" type="host">*.google.com</value>
<value id="gstatic" type="host">*.gstatic.com</value>
<value id="trustedshops" type="host">*.trustedshops.com</value>
<value id="fontawesome" type="host">*.fontawesome.com</value>
<value id="googleapis" type="host">apis.google.com</value>
<value id="graph-facebook" type="host">graph.facebook.com</value>
</values>
</policy>
</policies>
</csp_whitelist>
Currently my checkout is not loading, with Chrome’s console giving me the following:
checkout/:11 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-dn3M6MPF4GXog4BRnrw+ns2v/ER5GrnnRTSYtw/47qM=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:293 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-TcUB1mzXiQO4GxpTRZ0EMpOXKMU3u+n/q1WrgVIcs1I=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:508 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-gUUF6lV6BMiR+JKqVIjiKMP5Ve3oqlYsWucNw6cU9MA=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:525 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-e/Z2oexnYMMazAD1BB1HCSAzJFPVQl0jcdMZ0rzgLFs=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:534 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-2pJKvh8S8pidw7vX3byidefR8TWwPCFb8zTNQripi/I=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:617 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-XmRQlLFP7QNSk28pMd0V2lwnOJW58FLjnKNso9oV4dc=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:617 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-SANlPrNooV56FOn74IfU61P3x+PFYg+BL3dea/SBq+A=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:717 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-JvihZnjafGPo2MoeOS+8wcfHNYaEAowNr8BBxuw7Vm0=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:734 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-3qSGNfpNA++VElQWsut+bVsZSa3/qgg2vOsN9qdxNjk=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:788 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-4P/9kgZbwJLlMbCR29cExBS26oSZ7Ln6zU48qIrCYXc=’), or a nonce (‘nonce-…’) is required to enable inline execution.
checkout/:788 Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com *.vimeo.com www.vimeo.com *.vimeocdn.com *.youtube.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com www.google.com/recaptcha/ www.gstatic.com/recaptcha/ *.googleadservices.com *.google-analytics.com *assets.adobedtm.com *googleads.g.doubleclick.net *analytics.google.com *.googletagmanager.com *.cardinalcommerce.com *sandbox.paypal.com *.paypalobjects.com *t.paypal.com *s.ytimg.com https://www.gstatic.com/recaptcha https://www.google.com/recaptcha *.google.com/ *.avada.io *.stripe.com klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.link.com ‘self’ ‘unsafe-eval’ ‘unsafe-hashes’ ‘nonce-bWNsY3p4Nmh6Ym8xZ2x3MWw4Y3JzbjM5NmNmbnRmcWQ=’ ‘sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=’ ‘sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=’ ‘sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=’ ‘sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=’ ‘sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=’ ‘sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=’ local.adguard.org ‘nonce-43e183d31a244cc9afdd777d8ef'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-FrXvCOkkeFvglnyxyg25q8n43YrTNpYxz3Rfcu3rUMY=’), or a nonce (‘nonce-…’) is required to enable inline execution.
Can someone kindly advise how to turn that into csp code?