We have added
<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
<policies>
<policy id="style-src">
<values>
<value id="typekit" type="host">*.typekit.net</value>
</values>
</policy>
</policies>
</csp_whitelist>
to the etc/csp_whitelist.xml of a module within app/code/, in order to allow externally included fonts via TypeKit on the site. However, the resulting content-security-policy-report-only response header does not contain style-src at all. Even though not just our module defines something for the style-src policy, there are in fact a few Magento core modules, that would actually add their own style-src policy. But they do not show up at all in the response generated by Magento. The current content of that response header only looks like this:
font-src *.fontawesome.com *.yotpo.com *.googleapis.com *.gstatic.com 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net *.yotpo.com 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcom…merce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com api.comapi.com webchat.dotdigital.com *.yotpo.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';
Are there any additional steps necessary, to enable style-src for CSP?
- Magento
2.3.7
