Issue
As of the most recent security patch releases and the Magento 2.4.7 release Adobe has enforced strict content security policy (CSP) instead of the report-only configuration from previous releases. In my case upgrading from 2.4.5-p7 to 2.4.5-p8 enforced this change, in testing I've found CSP-related errors thrown in console when proceeding to the checkout.
Affected Versions
Issue As of the most recent security patch releases and the Magento 2.4.7 release Adobe has enforced strict content security policy (CSP) instead of the report-only configuration from previous releases. In my case upgrading from 2.4.5-p7 to 2.4.5-p8 enforced this change, in testing I've found CSP-related errors thrown in console when proceeding to the checkout.
This is outlined by Adobe in the patch release notes that strict CSP is now enforced: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-5-patches#additional-security-enhancements
Workaround There is a workaround outlined by Sansec by turning CSP back to report-only mode however this will be non-compliant with the changes coming into effect with PCI DSS as of April next year. https://sansec.io/guides/magento-csp#disable-strict-csp-on-checkout
Solution Zip must be patched to be compatible with Magento when strict content security policy (CSP) is enabled.