Summary
We have some logs in the console reporting script blocks due to restrictions via the CSP header. The inline style calls to the host io2.vtex.com have this blocking log because it is not released in the CSP of the previous host, thus generating error messages in the console.
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://io.vtex.com.br https://.vtex.com.br https://.vtexpayments.com.br https://.myvtex.com https://.vtexcommercestable.com.br https://.vtexcommercebeta.com.br https://.vteximg.com.br https://*.vtexassets.com 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-AdqydPwVZwz4OteEhuvEEzsFBDTM/J6q0/ZlIWf9Wr4='), or a nonce ('nonce-...') is required to enable inline execution.
Simulation
- Go to store checkout;
- Open the console and check the report messages;
Workaround
N/A