CSP for Cookie Consent Banners: OneTrust and Osano
Cookie consent banners are one of the easiest ways to blow up an otherwise clean Content Security Policy. I’ve seen teams lock down script-src, remove inline JS, add nonces everywhere, and then ship a consent platform that quietly needs half a dozen extra hosts, a stylesheet exception, iframe support, and a callback script jammed into the page head. Suddenly the CSP report inbox catches fire. This guide is the practical version: what to allow, where teams usually get it wrong, and copy-paste CSP examples for OneTrust and Osano. ...