Hello, the Firefox v.102 dev. console shows warning from title of this post, while the .htaccess is: Header always set X-Xss-Protection "1; mode=block" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy strict-origin-when-cross-origin Header set Content-Security-Policy-Report-Only "style-src *.tawk.to fonts.googleapis.com cdn.jsdelivr.net" Header set Content-Security-Policy-Report-Only "script-src *.tawk.to cdn.jsdelivr.net" Header set Content-Security-Policy-Report-Only "frame-src *.tawk.to" Header set Content-Security-Policy-Report-Only "font-src *.tawk.to fonts.gstatic.com" Header set Content-Security-Policy-Report-Only "img-src *.tawk.to cdn.jsdelivr.net tawk.link" Header set Content-Security-Policy-Report-Only "connect-src *.tawk.to wss://*.tawk.to" Code (markup): Do you have idea how to better do the policy so it does not warn me? My site is Wordpress. I wanted some simple policy with good protection and whitelist a few external elements.
So you are using the http header that was designed only to report errors to the specified URI and haven't provided this required report-uri...
Yes, i known that. I need to know how else these lines can look like so it allows some external elements without reporting.
If you need to enforce these directives, you need to replace "Content-Security-Policy-Report-Only" with "Content-Security-Policy". As a reference, you can see how it is implemented on other sites. For example, looking at the response headers of opensubtitles.com we can see: P.S. Note that although multiple CSP headers are allowed, there are some caveats and it is better to have only one Content-Security-Policy header.