Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom CSP Whitelist module not working

‎07-30-2024 02:34 AM
‎07-30-2024 02:34 AM

Custom CSP Whitelist module not working

Summary

I created a CspWhitelist module. The module is enabled but both config.xml and csp_whitelist.xml seem to be ignored by Magento.

 

Details

I updated to Magento CE 2.4.5-p8 recently and it broke my website. I was forced to enable the Magento_Csp module to fix the problem. The website was then running but CSP Strict mode was enabled by default so it broke my checkout page and I couldn't create orders in the backend. I found a temporary fix to put CSP in report-only mode by inserting 2 lines in core_config_data. I then read the Magento docs for a long term solution and created my CspWhitelist module under app/code/VendorName/CspWhitelist.

 

When I run bin/magento module:status, I see that my module is Enabled but the items I added in csp_whitelist.xml are not present in the response header when I check in my browser using the inspector.

 

I have recompiled, deploy static files, flush cache, put Cloudflare in Developper mode... nothing. Here are the files of my modules:

 

app/code/VendorName/CspWhitelist/registration.php

 

<?php \Magento\Framework\Component\ComponentRegistrar::register(
\Magento\Framework\Component\ComponentRegistrar::MODULE, 'VendorName_CspWhiteList',
__DIR__
);

app/code/VendorName/CspWhitelist/etc/config.xml

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_only>1</report_only>
                    <report_uri></report_uri>
                </storefront>
                <admin>
                    <report_only>1</report_only>
                    <report_uri></report_uri>
                </admin>
            </mode>
        </csp>
    </default>
</config>

app/code/VendorName/CspWhitelist/etc/module.xml

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
	<module name="VendorName_CspWhitelist" setup_version="1.0.0">
		<sequence>
			<module name="Magento_Csp"/>
		</sequence>
	</module>
</config>

app/code/VendorName/CspWhitelist/etc/csp_whitelist.xml

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="connect-src">
            <values>
                <value id="googleth" type="host">https://www.google.co.th</value>
            </values>
        </policy>
        <policy id="script-src">
            <values>
                <value id="omise" type="host">https://cdn.omise.co</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

I need to add more items in the whitelist but I first want a proof that this small bit is working.

I am not a developer so any help would be appreciated.

 

0 Kudos
Reply