Dears,

I decided to enable Magento_Csp module today on my magento 2.3.5-p2 webserver.

And I configured my own module to add the whitelisted domains.

I noticed that the console is showing me Refuse messages and not  'Report-Only'.

my config.xml is configure as below:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_only>1</report_only>
                </storefront>
                <admin>
                    <report_only>1</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>

However The console is showing the below:

Refused to frame 'https://www.youtube.com/' because it violates the following Content Security Policy directive: "frame-src 'self' geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com *.google.com *.addthis.com *.pinterest.com".

I know, I could add Youtube to the frame-src and it will work perfectly, However, I can't go with the Magento_Csp into production environment without the report-only mode for now.

Could anyone help me in making the Module working in Report-only mode ?