Question posted in 
I’m unable to understand the error. please help if anyone facing the same issue and got rid of it.
The Content Security Policy 'font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
4(index):1 [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Work+Sans:400,700.less' because it violates the following Content Security Policy directive: "style-src getfirebug.com 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
(index):23 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/requirejs/require.js net::ERR_ABORTED 404 (Not Found)
(index):34 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/images/magento-icon.svg 404 (Not Found)
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
requirejs-config.js:18 Uncaught TypeError: require.config is not a function
at requirejs-config.js:18
at requirejs-config.js:19
at requirejs-config.js:643
(anonymous) @ requirejs-config.js:18
(anonymous) @ requirejs-config.js:19
(anonymous) @ requirejs-config.js:643
60[Report Only] Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' 'unsafe-inline'".
3
Answers
This is because of the new module ( Magento_csp) added in Magento 2.3.5,
As of version 2.3.5, Magento supports CSP headers and provides ways to configure them. (This functionality is defined in the Magento_Csp module.) Magento also provides default configurations at the application level and for individual core modules that require extra configuration. Policies can be configured for adminhtml and storefront areas separately to accommodate different use cases. Magento also permits configuring unique CSPs for specific pages.
CSP can work in two modes:
report-only – In this mode, Magento reports policy violations but does not interfere. This mode isuseful for debugging. By default, CSP violations are written to the browser console, but they can be configured to be reported to an endpoint as an HTTP request to collect logs. There are a number of services that will collect, store, and sort your store’s CSP violations reports for you.
restrict mode – In this mode, Magento acts on any policy violations thus block any URLs those are added in the whitelist. This reduces cross-site scripting, credit card skimmers etc..
See more details here
https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html
CSP is not the reason of the problem. By default CSP works in Report-Only mode. The main reason of endless loading is:
Perhaps you didn’t clean the cache. Try to switch to developer mode and clean the cache:
The problem comes from the new Magento_csp module, one solution that I really find is to deactivate this module and move forward in your project.