0

This is a follow up to this question: Magento 2.4.7 - Advice setting up csp I have set-up/configured a custom csp module. This is the current csp_whitelist.xml:

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="default-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="base-uri">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="font-src">
            <values>
                <value id="data" type="host">'self' data: https://maxcdn.bootstrapcdn.com</value>
                <value id="bootstrapcdn" type="host">*.bootstrapcdn.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="googleapis" type="host">*.googleapis.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
            </values>
        </policy>
        <policy id="style-src">
            <values>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
                <value id="data" type="host">'report-sample'</value>
                <value id="data2" type="host">'self'</value>
                <value id="data3" type="host">'unsafe-inline'</value>
                <value id="data4" type="host">https://maxcdn.bootstrapcdn.com</value>
                <value id="bootstrapcdn" type="host">*.bootstrapcdn.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="google-apis" type="host">*.googleapis.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
            </values>
        </policy>
        <policy id="img-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="adobedtm-assets" type="host">assets.adobedtm.com</value>
                <value id="adobedtm-all" type="host">*.adobedtm.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="googleadservices" type="host">*.googleadservices.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="vimeocdn" type="host">*.vimeocdn.com</value>
            </values>
        </policy>
        <policy id="connect-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="google-maps" type="host">'self' https://maps.googleapis.com</value>
            </values>
        </policy>
        <policy id="frame-src">
            <values>
                <value id="data" type="host">'self'</value>
                <value id="stripe" type="host">https://js.stripe.com</value>
                <value id="google" type="host">*.google.com</value>
            </values>
        </policy>
        <policy id="script-src">
            <values>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
                <value id="report-sample" type="host">'report-sample'</value>
                <value id="self" type="host">'self'</value>
                <value id="unsafe-eval" type="host">'unsafe-eval'</value>
                <value id="unsafe-hashes" type="host">'unsafe-hashes'</value>
                <value id="unsafe-inline" type="host">'unsafe-inline'</value>
                <value id="adobedtm-assets" type="host">assets.adobedtm.com</value>
                <value id="adobedtm-all" type="host">*.adobedtm.com</value>
                <value id="adobe" type="host">*.adobe.com</value>
                <value id="avada" type="host">*.avada.io</value>
                <value id="amcglobal" type="host">amcglobal.sc.omtrdc.net</value>
                <value id="braintree-api" type="host">api.braintreegateway.com</value>
                <value id="braintree-sandbox" type="host">api.sandbox.braintreegateway.com</value>
                <value id="braintree-analytics" type="host">client-analytics.braintreegateway.com</value>
                <value id="braintree-analytics-sand" type="host">client-analytics.sandbox.braintreegateway.com</value>
                <value id="braintree-js" type="host">js.braintreegateway.com</value>
                <value id="braintree-assets" type="host">assets.braintreegateway.com</value>
                <value id="cardinalcommerce" type="host">geostag.cardinalcommerce.com</value>
                <value id="cardinalcommerce2" type="host">1eafstag.cardinalcommerce.com</value>
                <value id="cardinalcommerce3" type="host">geoapi.cardinalcommerce.com</value>
                <value id="cardinalcommerce4" type="host">1eafapi.cardinalcommerce.com</value>
                <value id="cardinalcommerce5" type="host">songbird.cardinalcommerce.com</value>
                <value id="cardinalcommerce6" type="host">*.cardinalcommerce.com</value>
                <value id="cardinalcommerce7" type="host">songbirdstag.cardinalcommerce.com</value>
                <value id="commerce-payment8" type="host">*.commerce-payment-services.com</value>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="google-pay" type="host">pay.google.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="google-analytics2" type="host">www.google-analytics.com</value>
                <value id="google-analytics3" type="host">analytics.google.com</value>
                <value id="google-analytics4" type="host">analytics.google.com</value>
                <value id="googletagmanager" type="host">googletagmanager.com</value>
                <value id="googletagmanager2" type="host">www.googletagmanager.com</value>
                <value id="googletagmanager3" type="host">*.googletagmanager.com</value>
                <value id="google-apis" type="host">apis.google.com</value>
                <value id="google-apis2" type="host">*.googleapis.com</value>
                <value id="google-apis3" type="host">www.googleapis.com</value>
                <value id="google-ads" type="host">www.googleadservices.com</value>
                <value id="google-ads2" type="host">googleads.g.doubleclick.net</value>
                <value id="google-ads3" type="host">*.googleadservices.com</value>
                <value id="google-ads4" type="host">googleads.g.doubleclick.net</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="google-recaptcha" type="host">https://www.gstatic.com/recaptcha/</value>
                <value id="google-recaptcha2" type="host">https://www.google.com/recaptcha/</value>
                <value id="google-recaptcha3" type="host">www.google.com/recaptcha/</value>
                <value id="google-recaptcha4" type="host">www.gstatic.com/recaptcha/</value>
                <value id="google-recaptcha5" type="host">https://www.gstatic.com/recaptcha</value>
                <value id="google-recaptcha6" type="host">https://www.google.com/recaptcha</value>
                <value id="google" type="host">google.com</value>
                <value id="google2" type="host">*.google.com</value>
                <value id="google3" type="host">*.google.com/</value>
                <value id="google-maps" type="host">https://maps.googleapis.com/maps/api/js</value>
                <value id="includestest" type="host">includestest.ccdc02.com</value>
                <value id="instagram" type="host">*.instagram.com</value>
                <value id="klarna" type="host">klarna.com</value>
                <value id="klarna2" type="host">*.klarna.com</value>
                <value id="klarna3" type="host">*.klarnacdn.net</value>
                <value id="klarna4" type="host">*.klarnaevt.com</value>
                <value id="magento-ds" type="host">*.magento-ds.com</value>
                <value id="newrelic" type="host">*.newrelic.com</value>
                <value id="nr-data" type="host">*.nr-data.net</value>
                <value id="paypal" type="host">www.paypal.com</value>
                <value id="paypal-objects" type="host">www.paypalobjects.com</value>
                <value id="paypal-objects2" type="host">*.paypalobjects.com</value>
                <value id="paypal-t" type="host">t.paypal.com</value>
                <value id="paypal-c" type="host">c.paypal.com</value>
                <value id="paypal-all" type="host">*.paypal.com</value>
                <value id="paypal-sandbox" type="host">www.sandbox.paypal.com</value>
                <value id="paypal-sandbox2" type="host">sandbox.paypal.com</value>
                <value id="paypal-sandbox3" type="host">*.sandbox.paypal.com</value>
                <value id="paypal-t2" type="host">t.paypal.com</value>
                <value id="stripe-js" type="host">https://js.stripe.com/v3/</value>
                <value id="stripe-all" type="host">*.stripe.com</value>
                <value id="stripe-link" type="host">*.link.com</value>
                <value id="typekit" type="host">*.typekit.net</value>
                <value id="typekit2" type="host">use.typekit.net</value>
                <value id="vimeo" type="host">*.vimeo.com</value>
                <value id="vimeo2" type="host">www.vimeo.com</value>
                <value id="vimeo3" type="host">*.vimeocdn.com</value>
                <value id="youtube" type="host">*.youtube.com</value>
                <value id="ytimg" type="host">s.ytimg.com</value>
            </values>
        </policy>
        <policy id="media-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="manifest-src">
            <values>
                <value id="data" type="host">'self'</value>
            </values>
        </policy>
        <policy id="object-src">
            <values>
                <value id="data" type="host">'none'</value>
                <value id="hash" type="hash" algorithm="sha256">W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=</value>
                <value id="hash2" type="hash" algorithm="sha256">3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=</value>
                <value id="hash3" type="hash" algorithm="sha256">2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=</value>
                <value id="hash4" type="hash" algorithm="sha256">p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=</value>
                <value id="hash5" type="hash" algorithm="sha256">0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=</value>
                <value id="hash6" type="hash" algorithm="sha256">nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=</value>
            </values>
        </policy>
        <policy id="worker-src">
            <values>
                <value id="data" type="host">'none'</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

I need assistance with stopping the following console errors (I have another 8 similar):

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src assets.adobedtm.com *.adobe.com googleads.g.doubleclick.net analytics.google.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com t.paypal.com s.ytimg.com *.vimeo.com *.vimeocdn.com *.youtube.com *.commerce-payment-services.com *.typekit.net google.com *.google.com amcglobal.sc.omtrdc.net *.magento-ds.com use.typekit.net js.braintreegateway.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.paypal.com songbirdstag.cardinalcommerce.com *.googleapis.com *.gstatic.com *.instagram.com 'report-sample' 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' *.adobedtm.com *.avada.io *.cardinalcommerce.com *.cloudflare.com *.google-analytics.com googletagmanager.com *.googletagmanager.com apis.google.com *.googleadservices.com *.google.com/ klarna.com *.klarna.com *.klarnacdn.net *.klarnaevt.com *.paypalobjects.com sandbox.paypal.com *.sandbox.paypal.com *.stripe.com *.link.com 'self' 'unsafe-eval' 'unsafe-hashes' 'nonce-b243ZGoxZTNxcW83MHFsZzY3dGgxcnNmOXlweGtnY2Q=' 'sha256-W5akSSK6LD5BjIlNICMcXaUObQSRAaj6bs7JHADURBA=' 'sha256-3qVqeAdyxxTdPkkRzqapjGkAUYLahxSrB7Mdup+GPQ0=' 'sha256-2rvfFrggTCtyF5WOiTri1gDS8Boibj4Njn0e+VCBmDI=' 'sha256-p8MCfMHqrovsjRYU9z0bU17dd0z81k/fVbGrtBBiM9g=' 'sha256-0pk2s4oXwBELlC6IBVb3nNaM2PjfjwI2N6OGIX5lx8Y=' 'sha256-nkEZknO0IxNxY/CkTMBhjNhwPvglpYumjx31B4fjkY8=' local.adguard.org 'nonce-5f7358088e0046b0b925f4cfd5b'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

I have added the sha256 values to the whitelist but this has not stopped the console errors. What am I doing wrong please?

Improve this question
1
  • You want to disable CSP in latest version? Commented Jul 3, 2024 at 7:17

4 Answers 4

Reset to default
8

I've faced the same problem after the latest Magento 2.4.5-p8, 2.4.6-p6 and 2.4.7-p1 upgrade.

Disabling the CSP module is not a solution here as it has dependencies over other modules.

To fix this issue, you need to create the config.xml file under the below path.

app/code/Vendor/Module/etc/config.xml

And add the below content to it.

<?xml version="1.0"?>

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <policies>
                <storefront_checkout_index_index>
                    <scripts>
                        <inline>1</inline>
                    </scripts>
                </storefront_checkout_index_index>
            </policies>
        </csp>
    </default>
</config>

Flush the Magento cache (cache:flush) if you're adding this in the current module or run setup:upgrade in case you've created a new module. After that, the CSP errors are gone from the checkout page.

Hope it helps!!!

Improve this answer
7
  • That's done it! Many thanks, no console errors now! Commented Jul 5, 2024 at 12:31
  • 1
    Is this really safe to enable all inline scripts rather than adding nonce or hashes? Commented Jul 24, 2024 at 11:20
  • 1
    This is not safe and not at all recommended. Commented Aug 8, 2024 at 14:48
  • okay @VineetSajwan, then please share what is recommended and safe to use as the Hash method is not working as Magento suggested. Commented Aug 9, 2024 at 7:05
  • 1
    @sumit I am also looking for a solution. However, enabling an inline script is not a solution. Commented Aug 9, 2024 at 12:11
0

On the console, check for the script where the error occurs and fix the inline script there. i.e if there is any tag included within the phtml, change it to use the secureHtmlRenderer https://developer.adobe.com/commerce/php/development/security/content-security-policies/#whitelist-an-inline-script-or-style

Improve this answer
0

Probably those scripts are dynamic, there is some part of the script that changes on every page load. You can check that by comparing the page source of the same url after refreshing on your browser.

Improve this answer
0

The following solution worked for me

  1. Securely render the inline script
    <?= $secureRenderer->renderTag('script', ['type' => 'text/javascript'], "\nconsole.log('I am a whitelisted script');\n", false); ?>
  2. Hashing content of the inline script using
    base64_encode(hash('sha256', $content, true))
  3. Add hash in the CSP policy
    <?xml version="1.0"?> <csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd"> <policies> <policy id="script-src"> <values> <value id="my-scripts-hash" type="hash" algorithm="sha256">B4yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8=</value> </values> </policy> </policies> </csp_whitelist>
Improve this answer
1
  • Thanks for sharing this, Vineet, I'll try it out and confirm if it works for me. Commented Aug 12, 2024 at 4:05

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.