This guide explains how to setupCSP in your [config/website.js configuration](/docs/2.x/reference/configurations#configwebsitejs).
For security reasons only URLs from the store's domain are authorized through CSP. However, for tracking and third-party dependencies, you will have to authorize more domains. Use the following config and add your custom domain in each:
When a CSP is missing, your browser will let you know in its console and log it
This chapter implies lowering the security of your application, please fully consider your needs before using this feature.
If you are unable to define a restricted list of content providers, you may need to enable all contents of a kind.
This will allow all content of a kind and log violation to your configuration without blocking the contents.
In the example below, all frames will be allowed and frames not originating from
the domain itself or
mysite.com will be logged in the