Content Security Policy (CSP) is a silent killer of conversion rates when it is not dealt with properly. It is not evil itself, it is a security measure you need, however many sites skip the process to properly implement this on their sites.

Major browsers have been further pushing restrictions on their browser to block JS Scripts from origins that are not whitelisted as part of Content Security Policy, scripts not whitelisted will be blocked from executing by the browser, this will render parts of your site to stop functioning. Javascript is an inherent part of modern eCommerce sites, so these issues could be impacting your PLPs, PDPs or even your checkout process.

What is CSP (Content Security Policy)?

Content Security Policies (CSP) mitigate against Cross Site Scripting (XSS) and related attacks. They stop rogue JS executing on the site which may be programmed to skim card numbers, session hijacking and steal other bits of data. Web servers send CSPs to browsers that whitelist the origins of scripts, styles, and other resources, so browsers know what bits of JS/IMG/CSS they’re allowed to execute.

Why this could be affecting you?

The scary nature of this issue is, your QA process may not pick this up as each browser has different levels of implementation of CSP Level 2 so depending on the browser type and browser version, so even though your QA might be testing in Chrome browser, they may not be able to reproduce the bug.


You will need to review all JS scripts on the site external and inline, and start whitelisting every script you recognise, Magento 2 has introduced some features to allow you to do this from a code level in 2.3.5. The whitelisting can be done on code level and server level. It is best practice to make this part of your frontend development workflow as CSP policies will only be enforced even harder by browsers breaking sites that are not following the directives.

Leave a Reply