Content security policies for custom modules can be added by setting up a csp_whitelist.xml file, i.e. app/code/Vendorname/Modulename/etc/cps_whitelist.xml, this is more or less excessively described in the docs.
However, the docs also mention
Configure CSPs for your custom code/extension/theme
Yet, I seem to be unable to get a working whitelist addition from within a custom theme, i.e. app/design/Vendorname/Themename/etc/cps_whitelist.xml?
etc/csp_whitelist.xml:
<?xml version="1.0" encoding="UTF-8"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
<policies>
<policy id="style-src">
<values>
<value id="fontsGoogleapisCom" type="host">fonts.googleapis.com</value>
</values>
</policy>
</policies>
</csp_whitelist>
This very same whitelist is working and brings me the expected result when moved to a custom module (i.e. app/code/Vendorname/ThemenameCsp).
Am I supposed to create a custom-theme-related custom module just to allow my custom theme to load an external font? Seems a bit nasty to me if that’s actually the case.
