Query Regarding Content Security Policy

Question

I have onetrust script to be embedded in my project. Even after adding the code, Cookie banner is not accessible and not getting popped up because of the configuration we used in our project. What change can i make to the below line to ensure banner is accessible. Note : If I comment the below line, banner is accessible but it causes security risk.

Configuration that we commented to enable the banner:

Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' https://*; frame-ancestors 'self';"

Tried with :

Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.cookielaw.org; style-src 'self' 'unsafe-inline' https://cdn.cookielaw.org; frame-ancestors 'self';"

Received this in the console :

Refused to connect to ' https://cdn.cookielaw.org/consent/16cc4bef-039e-4015-b3dc-05552d35810b-test/16cc4bef-039e-4015-b3dc-05552d35810b-test.json' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Can someone suggest the changes that i should update so that cookie banner is accessible.

Answer 1

You're setting cdn.cookielaw.org in style-src and script-src, but it seems like you also need to set it in connect-src, which needs to be added to the policy.

The error message stated in your comment indicates a different policy than the one in the question. This means it either comes from an edited policy or that there are multiple policies set. Content needs to pass all policies, so adding another policy can only make it stricter.