Hey there @bmaulo, I haven't personally used a project that has a certain CSP enabled. But as far as I know there shouldn’t be any issues with any Prismic fields whatsoever.
The only one that caused trouble in the past was SVG files. They are a special kind of image that can embed javascript (for animation purpose mainly) that could result in a security breach. Prismic used to deliver SVGs via Imgx. Now it uses AWs to retrieve the file, the URL was images.prismic.io/img.svg?imgx_param=value , now it;s received like this: prismic-io.s3.amazonaws.com/img.svg
Just a note that I'm not a security headers expert, but I just tried it in several possible combinations but the whole website errors out and doesn't render anything. I tried several different values but they all resulted in the same output
Refused to load the stylesheet 'https://fonts.googleapis.com/css2?family=Open+Sans:wght@300;400;600;700&display=swap' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' 'unsafe-eval'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
8Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
I'm using next-secure-headers to create my security headers. This is the values I've tried so far
@Pau All images from the website are coming from Prismic.
From within the error message, you can also see that google fonts is also being blocked, that's why this might not be a necessarily a Prismic issue, but Prismic is definitely impacted by it.
What we could do is find another Prismic website (preferably built in Nextjs/Gatsby) which uses a CSP and then we can use what they have done by looking at their security headers using https://securityheaders.com/
However it didn't help with passing the test on the website.
It's worth noting that the goal here is to purely pass the test on the checker, not to implement a proper content security policy. The website is 100% static, so there is no danger from such an attack