Receiving Content Security Policy errors with no Content Security Policy header present

Question

I am integrating with a third party library (Chargebee) and I am receiving Content Security Violation errors.

As far as I can tell, I don't have CSP defined in my web page as it doesn't return a CSP response header:

Although, when trying to utilise this library I'm getting errors along the lines of:

Questions

1. I'm using other third party JS libraries, why am I not getting this error for any others? I've never had to specify a CSP for any previously.

2. If I do actually define a CSP, I'm then blocking the other third party libraries. Can I allow Chargebee without then blocking others (and without having to include them all in the CSP)?

It doesn't make sense. It suggests that I don't have a CSP defined seeing as it's not returned in my headers and I can use third party resources, I have even verified this using the Chrome CSP evaluator extension. And yet, the error messages show that I do have a CSP policy defined.

Am I missing something?

Answer 1

If I do actually define a CSP, I'm then blocking the other third party libraries. Can I allow Chargebee without then blocking others (and without having to include them all in the CSP)?

No - CSP is an allowlist protocol. If you define a CSP, you need to map out all the various needed resources - at least for the directives that you are using (for example you can confine your CSP to only script-src and object-src, and ignore others).

Since you cannot control or predict which directives are needed for Chargebee CSP, it's best to use predetermined CSP packages, and a CSP generator.