April 28, 2020
Magento v2.3.5 includes a set of powerful new security tools for Magento installations. Content Security Policies (CSP) provide additional layers of defense by helping to detect and mitigate Cross-Site Scripting (XSS) and related data injection attacks. This common attack vector works by injecting malicious content that falsely claims to originate from the website. After the malicious content is loaded and executed, it can initiate the unauthorized transfer of data.
CSP provides a standardized set of directives that tell the browser which content resources can be trusted, and which should be blocked. Using carefully defined policies, CSP restricts browser content to include only whitelisted resources. In 2.3.5, CSP initially operates by default in report-only mode to allow merchants and developers to configure the policies for the specific site and to identify the content resources to allow. In a future release, restrict mode will be enabled by default for additional out-of-the-box protection.
Content Security Policy Overview
Content Security Policies