Is this module just allowing everything?

[Eddcapone]

If yes, then why do I even need this extension? I could just disable the Magento_Csp module as well. It makes no sense.

[LuizSantos1]

@Eddcapone Did you actually read the documentation? "The main goal of this module is to remove CSP errors from JS console completely but you can use this module to collect reports only (just disable activation for new rules in config).

You can switch CSP from report only to strict mode (set Report Only to false in config) after all violation reports will be converted to the rules and all not-allowed content will be locked by browser."

What I can understand from this is: You install the module It will collect the errors report, convert it into CSP rules and clear up the reports

Once the project is done, you can change CSPs from report to restricted and CSPs will block any new erros...

So the idea is to only clear up the erros before you finish the project and put it into production.

[Eddcapone]

Yes but it also allows CSP rules which should be forbbiden. For example if a hacker injected a script into your website, then this extension grabs that script and allows it.

[LuizSantos1]

Again, I guess in my opinion, you did not get the point of the module

How to use it?

1 - When your project is still under development, install the module

2 - Inspect the errors, all of them are coming from "known" domains or unsafe javacripts in-lines and js in-lines you already know (ie Klarna, Paypal, Braintree, Facebook, Twitter, Cloudflare, etc...)

3 - This module will create "new rules" to clear those errors from these "known" domains

4 - Once it is all cleared, it is time to put the project into production mode 4.1 - Go to admin panel, DEACTIVATE the option "create new rules" on the module 4.1 - Go to CSP and activate the option "restrict"

Done!

The module will not create new rules for new scripts, because this option has been unable at the admin panel. The only way to bypass this would be breaking into admin panel and change this option in order to allow the creation of new rules again.

To make it harder to break into it, you might enable 2FA verification to access admin panel!

I hope I have managed somehow to explain this as the documentation is not very clear about that.

WHY YOU SHOULD NOT RELY TOO MUCH ON CSP?

Please read about it on this link https://maxchadwick.xyz/blog/magento-disable-csp

I am really considering leaving CSP aside and going to the same path, Magento effort might be a good intention, but the fact is: It is delaying developments of the websites, wasting our time with hours trying to figure out how to whitelist all links and js from themes, extensions and even unsafe javascripts inlines and js that are into Magento 2 core and partners and most of this efforts are useless as the whitelist approach is not compatible with restrict-dynamic

Maybe in the future they might clear all unsafe in-lines that are running inside Magento core code and partners and make CSP more useful.