Hello,
We are currently experiencing a Content Security Policy issue on the Magento 2 checkout that appears to be related to the Stape loader.
Magento version:
2.4.8-p5
The issue only occurs on the checkout page.
We have already added the following domains to the checkout CSP whitelist:
-
load.sst.lumicom.it -
sst.lumicom.it -
*.lumicom.it
However, the issue is still present on the live checkout.
Our Magento developer believes that the problem may be caused by inline scripts injected by the Stape loader. These scripts do not appear to include a CSP nonce, so Magento continues to block them even though the relevant Stape domains have been added to the whitelist.
When Magento CSP is switched to report-only mode, the checkout works correctly. When CSP enforcement is enabled, the inline scripts are blocked and the issue occurs again.
Could you please clarify the recommended approach for using the Stape loader on a Magento 2 checkout with CSP enforcement enabled?
In particular, we would like to understand:
-
whether the Stape loader supports Magento CSP nonces;
-
whether a specific Magento 2 configuration is required;
-
whether the loader can avoid injecting inline scripts;
-
whether a nonce-compatible or CSP-safe implementation is available;
-
whether any additional CSP directives, hashes, or domains need to be added.