magento2 – csp_whitelist.xml for themes

Content security policies for custom modules can be added by setting up a csp_whitelist.xml file, i.e. app/code/Vendorname/Modulename/etc/cps_whitelist.xml, this is more or less excessively described in the docs.

However, the docs also mention

Configure CSPs for your custom code/extension/theme

Yet, I seem to be unable to get a working whitelist addition from within a custom theme, i.e. app/design/Vendorname/Themename/etc/cps_whitelist.xml?


<?xml version="1.0" encoding="UTF-8"?>
<csp_whitelist xmlns:xsi="" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
        <policy id="style-src">
                <value id="fontsGoogleapisCom" type="host"></value>

This very same whitelist is working and brings me the expected result when moved to a custom module (i.e. app/code/Vendorname/ThemenameCsp).

Am I supposed to create a custom-theme-related custom module just to allow my custom theme to load an external font? Seems a bit nasty to me if that’s actually the case.