cancel
Showing results for 
Search instead for 
Did you mean: 

upgrade to 2.3.5-p2 from p1 and now my magento is enforcing CSP??

upgrade to 2.3.5-p2 from p1 and now my magento is enforcing CSP??

Hi, 

I upgrade Magento 2.3.5-p1 to 2.3.5-p2 last night and I didn't realize my credit card checkout option is not showing up. My browser console is showing that it's refusing to load authorize.net stuff because of CSP.

 

I checked the magento_csp module and report is still set to 1. 

<report_only>1</report_only>

 

Help!

 

Update: 

I disabled the module Magento_Csp and now I'm only getting the "Refused to load script" error on some of the Category pages, not all.

3 REPLIES 3
Highlighted

Re: upgrade to 2.3.5-p2 from p1 and now my magento is enforcing CSP??

Best,

 

Yes magento 2 Content security policy is a pain in the... If you are not a programmer.

Or if you are not familiar with it.

 

This is why having a Clone/copy of your website and database on a second server or local is important. So you can test there and if it is working Implement on your live website.

 

Magento is testing, test test test before action!!! Everyone needs staging or second server or local copy (wamp/xamp) with a recent copy of your live website. I see too much magento users making changes on live site which is the wrong approach. This will cost money, downtime and the most important is very bad for Reputation. Set up a staging or Clone website first. Test Magento new versions there, test new extensions there and test all changes there. After this implement in Live.

 

My advice:

Since I am not a expert my approach is make use of your sources.

Good Hosting, Theme and Extension developers are always willing to help.

Because you will stay there and buy extensions if they help you out.

So in this case Ask your theme vendor for help.

They can setup the basics CSP for you Whitelist/config.

After that:

 

First read this: https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html

 

So you know the basics

 

Second:

 

1. Set it to report only

2. Debug your site and write down every single Warning

3. Contact all your extension providers and tell them the extension is Blocked by the magento2  CSP. Most of the time they do not know this. Mark my words.

4. Add the rules to your whitelist (or config if needed).

5. Debug again for warnings, google for these that are not third party extension related

you will find answers.

 

If all Warnings are gone you can activate CSP.

It makes your site way more secure.

Be warned, after installing extensions, themes or whatever software you want to run Debug your site again. You may be end up with CPS problems again.

 

This way you will get the rules you need to add from them in your whitelist/config.

This way you wake up developers and they will add this in the next version of the theme and Extension by default.

 

Everyone wins.....

Highlighted

Re: upgrade to 2.3.5-p2 from p1 and now my magento is enforcing CSP??

@Boompie Thanks for the tips. 

 

I do have a XAMPP dev version of the site but of course being on a windows machine compare to Linux in PRD it's not going to be the same. I had upgraded to p2 on xampp with no issues and that's why I went ahead and did the PRD site. But yes I need a better solution.

 

Thanks for the input.

Highlighted

Re: upgrade to 2.3.5-p2 from p1 and now my magento is enforcing CSP??

Update....so I moved my dev environment to a docker container running linux and php 7.3 to match my prd env and it's running much better. I enabled CSP again in dev and I'm getting the report-only warnings which is expected. I went back to my PRD environment...turned CSP back on and it's enforcing the CSP and blocking some scripts. Had to turn off again.

I'm running the same code on both environments so it makes no sense....I'll keep researching.

Thanks.