Summary
I created a CspWhitelist module. The module is enabled but both config.xml and csp_whitelist.xml seem to be ignored by Magento.
Details
I updated to Magento CE 2.4.5-p8 recently and it broke my website. I was forced to enable the Magento_Csp module to fix the problem. The website was then running but CSP Strict mode was enabled by default so it broke my checkout page and I couldn't create orders in the backend. I found a temporary fix to put CSP in report-only mode by inserting 2 lines in core_config_data. I then read the Magento docs for a long term solution and created my CspWhitelist module under app/code/VendorName/CspWhitelist.
When I run bin/magento module:status, I see that my module is Enabled but the items I added in csp_whitelist.xml are not present in the response header when I check in my browser using the inspector.
I have recompiled, deploy static files, flush cache, put Cloudflare in Developper mode... nothing. Here are the files of my modules:
app/code/VendorName/CspWhitelist/registration.php
<?php \Magento\Framework\Component\ComponentRegistrar::register( \Magento\Framework\Component\ComponentRegistrar::MODULE, 'VendorName_CspWhiteList', __DIR__ );
app/code/VendorName/CspWhitelist/etc/config.xml
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd"> <default> <csp> <mode> <storefront> <report_only>1</report_only> <report_uri></report_uri> </storefront> <admin> <report_only>1</report_only> <report_uri></report_uri> </admin> </mode> </csp> </default> </config>
app/code/VendorName/CspWhitelist/etc/module.xml
<?xml version="1.0"?> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd"> <module name="VendorName_CspWhitelist" setup_version="1.0.0"> <sequence> <module name="Magento_Csp"/> </sequence> </module> </config>
app/code/VendorName/CspWhitelist/etc/csp_whitelist.xml
<?xml version="1.0"?> <csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd"> <policies> <policy id="connect-src"> <values> <value id="googleth" type="host">https://www.google.co.th</value> </values> </policy> <policy id="script-src"> <values> <value id="omise" type="host">https://cdn.omise.co</value> </values> </policy> </policies> </csp_whitelist>
I need to add more items in the whitelist but I first want a proof that this small bit is working.
I am not a developer so any help would be appreciated.
You're definitely on the right track with creating your own CSP module, and it's great you're taking security seriously! It sounds like the module is enabled correctly since Magento recognizes it. The most common culprits for the csp_whitelist.xml file being ignored are usually small syntax errors within the XML itself. Even a misplaced character can prevent it from being parsed correctly. I'd recommend carefully reviewing the file for any typos or incorrect formatting, especially around the policy id and value id attributes. Make sure the <policies> and <values> tags are correctly nested.
Also, ensure the file is saved with UTF-8 encoding. Sometimes that can cause issues.
Beyond that, while you've cleared the Magento cache, sometimes the browser's cache can hold onto old headers. Try doing a hard refresh in your browser or even testing in an incognito window to rule that out.
If you've double-checked the XML and browser cache and it's still not working, you might find it easier to manage your CSP rules with a dedicated extension. There are a few out there, and one that's often recommended is the CSP Whitelisting extension by Scommerce Mage (https://www.scommerce-mage.com/magento-2-csp-whitelisting.html). These extensions often provide a more user-friendly interface for managing your whitelist and can help avoid some of the common pitfalls of manual configuration. It might be worth exploring if you continue to have trouble with your custom module.