Hi,
I upgrade Magento 2.3.5-p1 to 2.3.5-p2 last night and I didn't realize my credit card checkout option is not showing up. My browser console is showing that it's refusing to load authorize.net stuff because of CSP.
I checked the magento_csp module and report is still set to 1.
<report_only>1</report_only>
Help!
Update:
I disabled the module Magento_Csp and now I'm only getting the "Refused to load script" error on some of the Category pages, not all.
Best,
Yes magento 2 Content security policy is a pain in the... If you are not a programmer.
Or if you are not familiar with it.
This is why having a Clone/copy of your website and database on a second server or local is important. So you can test there and if it is working Implement on your live website.
Magento is testing, test test test before action!!! Everyone needs staging or second server or local copy (wamp/xamp) with a recent copy of your live website. I see too much magento users making changes on live site which is the wrong approach. This will cost money, downtime and the most important is very bad for Reputation. Set up a staging or Clone website first. Test Magento new versions there, test new extensions there and test all changes there. After this implement in Live.
My advice:
Since I am not a expert my approach is make use of your sources.
Good Hosting, Theme and Extension developers are always willing to help.
Because you will stay there and buy extensions if they help you out.
So in this case Ask your theme vendor for help.
They can setup the basics CSP for you Whitelist/config.
After that:
First read this: https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html
So you know the basics
Second:
1. Set it to report only
2. Debug your site and write down every single Warning
3. Contact all your extension providers and tell them the extension is Blocked by the magento2 CSP. Most of the time they do not know this. Mark my words.
4. Add the rules to your whitelist (or config if needed).
5. Debug again for warnings, google for these that are not third party extension related
you will find answers.
If all Warnings are gone you can activate CSP.
It makes your site way more secure.
Be warned, after installing extensions, themes or whatever software you want to run Debug your site again. You may be end up with CPS problems again.
This way you will get the rules you need to add from them in your whitelist/config.
This way you wake up developers and they will add this in the next version of the theme and Extension by default.
Everyone wins.....
@Anonymous Thanks for the tips.
I do have a XAMPP dev version of the site but of course being on a windows machine compare to Linux in PRD it's not going to be the same. I had upgraded to p2 on xampp with no issues and that's why I went ahead and did the PRD site. But yes I need a better solution.
Thanks for the input.
Update....so I moved my dev environment to a docker container running linux and php 7.3 to match my prd env and it's running much better. I enabled CSP again in dev and I'm getting the report-only warnings which is expected. I went back to my PRD environment...turned CSP back on and it's enforcing the CSP and blocking some scripts. Had to turn off again.
I'm running the same code on both environments so it makes no sense....I'll keep researching.
Thanks.
Hello,
The issue you're facing is due to the changes made to the Content Security Policy (CSP) in Magento 2.3.5-p2. The upgrade has introduced stricter security settings, which are causing the Authorize.net scripts to be blocked.
Disabling the Magento_Csp module is a good temporary workaround, but it's not a long-term solution. The report_only setting is set to 1, which means the CSP policy is being reported but not enforced. However, it seems that the policy is still being enforced in some cases, causing the Authorize.net scripts to be blocked.
To resolve this issue, I would recommend using the CSP Whitelisting module (https://www.scommerce-mage.com/magento-2-csp-whitelisting.html). This module provides a more fine-grained control over the CSP policy, allowing you to whitelist specific scripts and sources.
You can try setting the report_only setting to 0 and configuring the CSP policy to allow the Authorize.net scripts. This will allow you to test the policy without disabling the Magento_Csp module.
Alternatively, you can also try to configure the Magento_Csp module to allow the Authorize.net scripts by adding the necessary directives to the CSP policy. You can do this by going to Store > Configuration > Advanced > Content Security Policy and adding the following directives:
script-src 'self' https://www.authorize.net;
This will allow scripts to be loaded from the Authorize.net domain.
I hope this helps!