Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Magento CSP - Report Only

SOLVED
Go to solution
‎02-22-2021 05:11 AM
‎02-22-2021 05:11 AM

Magento CSP - Report Only

Dears,

 

I decided to enable Magento_Csp module today on my magento 2.3.5-p2 webserver.

And I configured my own module to add the whitelisted domains.

I noticed that the console is showing me Refuse messages and not  'Report-Only'.

 

my config.xml is configure as below:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_only>1</report_only>
                </storefront>
                <admin>
                    <report_only>1</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>

However The console is showing the below:

Refused to frame 'https://www.youtube.com/' because it violates the following Content Security Policy directive: "frame-src 'self' geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com *.google.com *.addthis.com *.pinterest.com".

I know, I could add Youtube to the frame-src and it will work perfectly, However, I can't go with the Magento_Csp into production environment without the report-only mode for now.

 

Could anyone help me in making the Module working in Report-only mode ?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
‎02-22-2021 10:52 AM
‎02-22-2021 10:52 AM

Re: Magento CSP - Report Only

After Checking, This was related to the Porto theme used with the Magento 2 platform.

in fact, Porto are enabling the Restrictions inside the theme. For this reason, I disabled it from here:

./app/code/Smartwave/Porto/etc/config.xml

I hope this answer help other people.

View solution in original post

Reply
3 REPLIES 3
‎02-22-2021 10:52 AM
‎02-22-2021 10:52 AM

Re: Magento CSP - Report Only

After Checking, This was related to the Porto theme used with the Magento 2 platform.

in fact, Porto are enabling the Restrictions inside the theme. For this reason, I disabled it from here:

./app/code/Smartwave/Porto/etc/config.xml

I hope this answer help other people.

Reply
‎02-17-2022 12:30 AM
‎02-17-2022 12:30 AM

Re: Magento CSP - Report Only

Enable report-only mode cause any issue?

0 Kudos
Reply
3 weeks ago
3 weeks ago

Re: Magento CSP - Report Only

Hi there,

 

It looks like you've configured the report_only mode correctly in your config.xml. However, Magento's built-in CSP module can sometimes be tricky to debug and manage, especially with dynamic content.

For a more robust and flexible solution, you might want to consider Magento 2 CSP Whitelisting extension (https://www.scommerce-mage.com/magento-2-csp-whitelisting.html). It offers a user-friendly interface to manage your CSP directives, allows you to easily add/remove whitelisted domains and has a dedicated "Report Only" mode toggle switch. This can simplify your CSP management and help you achieve the report-only behavior you're looking for. It's worth checking out to see if it addresses the issues you're experiencing with the default Magento module.

 

Hopefully, this helps!

0 Kudos
Reply