Question posted in 
I just upgrade my magento store from 2.3.4 to 2.3.5-p1.
my store is using static.domain.com and media.domain.com for deployed static and media contents.
Console error messages – example
[Report Only] Refused to load the stylesheet ‘URL’ because it violates the following Content Security Policy directive : ….
Looking forward to hearing from all of you soon!
2
Answers
As of version 2.3.5, Magento supports Content Security Policy headers and provides ways to configure them per module.
Content Security Policies (CSP) are a powerful tool to mitigate against Cross-Site Scripting (XSS) and related attacks.
By default, Content Security Policy is configured in report-only mode, which allows merchants and developers to configure policies to work according to their custom code.
What you’re currently seeing is report-only mode.
You can configure your own custom CSP rules by adding a csp_whitelist.xml to your custom module’s etc folder or theme folder.
You can find more using the link below:
https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html
Try this module to collect CSP violations reports and convert its to the CSP rules to prevent warnings in browser console – flancer32/mage2_ext_csp