In Magento 2.4.8.x the Content Security Policy (CSP) system is strict by default, and checkout pages often trigger CSP errors (Bootstrap, Google Fonts, payment iframe scripts, etc.).
To whitelist or ignore these CSP errors, you need to configure CSP policies in your module/theme via csp_whitelist.xml.
Steps to Whitelist CSP in Magento 2.4.8.x
Locate or Create a CSP whitelist file
In your custom module or theme, add:or in theme:
Basic Example – Allow Bootstrap, Fonts, Inline
- Create
app/code/Vendor/Module/etc/config.xml
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd"> <default> <csp> <mode> <storefront_checkout_index_index> <report_only>1</report_only> </storefront_checkout_index_index> </mode> <policies> <storefront_checkout_index_index> <scripts> <inline>0</inline> <event_handlers>1</event_handlers> </scripts> </storefront_checkout_index_index> </policies> </csp> </default> </config>
👉 For checkout page specifically, you usually need:
style-srcandfont-srcfor Google Fonts/Bootstrapscript-srcfor external payment JSframe-srcfor iframes (Stripe, PayPal, Braintree, Adyen, etc.)'unsafe-inline'if inline scripts/styles are used
