When shoppers make 3D Secure 1 transactions, they are redirected to the issuer to perform the authentication. Your Content Security Policy (CSP) can prevent the redirection and therefore block the shopper from completing the payment.

The CSP is a policy you decide. Something you can consider is to set the policy to Report Only. The Report Only CSPs don't block transactions, they send a report to your server indicating that a CSP request was done.

In case you prefer not setting your CSP to Report Only, you will probably be looking for a list of all possible issuer Urls. Unfortunately, this is not something we can provide because the list is subject to changing over time and there are many issuers to keep track of. The issuer Url is a field we return in the API response of a 3D Secure 1 transaction. With this information, you can consider building your own issuer Urls list.

The trade off here with your CSP and 3D Secure 1 is that you can have a more relaxed CSP resulting in all 3D Secure 1 transactions being completed successfully, or a stricter one that then restricts some 3D Secure 1 transactions.