cancel
Showing results for 
Search instead for 
Did you mean: 

Magento CSP - Report Only

SOLVED

Magento CSP - Report Only

Dears,

 

I decided to enable Magento_Csp module today on my magento 2.3.5-p2 webserver.

And I configured my own module to add the whitelisted domains.

I noticed that the console is showing me Refuse messages and not  'Report-Only'.

 

my config.xml is configure as below:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_only>1</report_only>
                </storefront>
                <admin>
                    <report_only>1</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>

However The console is showing the below:

Refused to frame 'https://www.youtube.com/' because it violates the following Content Security Policy directive: "frame-src 'self' geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com *.google.com *.addthis.com *.pinterest.com".

I know, I could add Youtube to the frame-src and it will work perfectly, However, I can't go with the Magento_Csp into production environment without the report-only mode for now.

 

Could anyone help me in making the Module working in Report-only mode ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Magento CSP - Report Only

After Checking, This was related to the Porto theme used with the Magento 2 platform.

in fact, Porto are enabling the Restrictions inside the theme. For this reason, I disabled it from here:

./app/code/Smartwave/Porto/etc/config.xml

I hope this answer help other people.

View solution in original post

2 REPLIES 2

Re: Magento CSP - Report Only

After Checking, This was related to the Porto theme used with the Magento 2 platform.

in fact, Porto are enabling the Restrictions inside the theme. For this reason, I disabled it from here:

./app/code/Smartwave/Porto/etc/config.xml

I hope this answer help other people.

Re: Magento CSP - Report Only

Enable report-only mode cause any issue?