What does '[Report Only] Refused to load..' mean in Magento?

After updating Magento to v2.3.5 you may find lots of errors like these in the Chrome console. It’s not a bug it’s a feature!

“Chrome csp error” Screenshot badly censored for privacy reasons

If you’re seeing your console full of errors like this don’t worry, they are just Content Security Policy (CSP) notifications which help prevent cross-site scripting (XSS) attacks.

Magento_Csp module

By default, the module doesn’t block cross sites script but adds all those annoying notofication in the console. if you want a higher level of security, just configure the module in this way:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">

If you want to remove the notifications you need to whitelist the allowed source. In your custom module create etc/csp_whitelist.xml and add:

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
        <policy id="script-src">
                <value id="secure-host" type="host">https://my-secure-host.com</value>

See Magento dev docs for details

Rear window, Alfred Hitchcock, 1954

Irene Iaccio

Freelance web developer

Subscribe to the monthly digest!

I'll use your email only to send you the latest posts once a month.