Magento 2 Checkout CSP Issue with Stape Loader

Hello,

We are currently experiencing a Content Security Policy issue on the Magento 2 checkout that appears to be related to the Stape loader.

Magento version:
2.4.8-p5

The issue only occurs on the checkout page.

We have already added the following domains to the checkout CSP whitelist:

  • load.sst.lumicom.it

  • sst.lumicom.it

  • *.lumicom.it

However, the issue is still present on the live checkout.

Our Magento developer believes that the problem may be caused by inline scripts injected by the Stape loader. These scripts do not appear to include a CSP nonce, so Magento continues to block them even though the relevant Stape domains have been added to the whitelist.

When Magento CSP is switched to report-only mode, the checkout works correctly. When CSP enforcement is enabled, the inline scripts are blocked and the issue occurs again.

Could you please clarify the recommended approach for using the Stape loader on a Magento 2 checkout with CSP enforcement enabled?

In particular, we would like to understand:

  • whether the Stape loader supports Magento CSP nonces;

  • whether a specific Magento 2 configuration is required;

  • whether the loader can avoid injecting inline scripts;

  • whether a nonce-compatible or CSP-safe implementation is available;

  • whether any additional CSP directives, hashes, or domains need to be added.

Hello,

Thank you for reaching out,
We’re already aware of this one and working on it, an upcoming release is designed to make the loader CSP-safe out of the box, which should resolve this under CSP enforcement.

The current loader injects an inline script without a nonce, which is why enforcement blocks it, and why whitelisting domains alone doesn’t help, since a domain in script-src only covers external requests, not the inline script.
The upcoming release should add the required inline-script hash automatically.

We appreciate your cooperation.

Hello,

What are we supposed to do in the meantime? Should we change the CSP from strict/restrict mode to report-only at checkout?

Also, when are you planning to release the updated version?

Thank you.

Hello,

That would be your call on handling the CSP, but just keep in mind that switching to report-only disables CSP enforcement on the checkout page while it’s active.

Rest assured, the updated version of the app is expected to go live this week.

Thank you for your patience and understanding.

Hello,

is the updated version available?

Thank you