Home E-commerce Magento 2.3.5 Content Security Warnings | How to Fix

Magento 2.3.5 Content Security Warnings | How to Fix

0

Magento 2.3.5 Content Security Warnings | How to Fix – You are working on a Magento 2.3.5 project and you have a console full of red lines?

Content Security Policies (CSP) are a powerful tool to mitigate against Cross Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more. Web servers send CSPs in response HTTP headers (namely Content-Security-Policy and Content-Security-Policy-Report-Only) to browsers that whitelist the origins of scripts, styles, and other resources. Together, CSPs and built-in browser features help prevent:

  • Loading a malicious script from an attacker’s website
  • A malicious inline script from sending credit card info to an attacker’s website
  • Loading a malicious style that will make users click on an element that wasn’t supposed to be on a page

See Content Security Policy (CSP) and Content-Security-Policy to learn more about CSP and each individual policy.

Magento and CSP

As of version 2.3.5, Magento supports CSP headers and provides ways to configure them. (This functionality is defined in the Magento_Csp module.) Magento also provides default configurations at the application level and for individual core modules that require extra configuration. Policies can be configured for adminhtml and storefront areas separately to accommodate different use cases. Magento also permits configuring unique CSPs for specific pages.

CSP can work in two modes:

  • report-only – In this mode, Magento reports policy violations but does not interfere. This mode is useful for debugging. By default, CSP violations are written to the browser console, but they can be configured to be reported to an endpoint as an HTTP request to collect logs. There are a number of services that will collect, store, and sort your store’s CSP violations reports for you.
  • restrict mode – In this mode, Magento acts on any policy violations.

How to add CSP whitelist using Magento 2 extension?

You can eliminate CSP warning using whitelist file, below is a simple extension to work with Magento 2

How to install Extension

Step 01

Download the Extension

Step 02

Upload file to the app/code directory & unzip using below command

$  unzip CSPWhitelist.zip

Step 03

Go to the Magento 2.3.5 root folder & Install extension using below commands

$  php bin/magento setup:upgrade
$  php bin/magento setup:static-content:deploy -f

Step 04

How to Whitelist domains?

Go to Sagistri > CspWhitelist > etc and edit csp_whitelist.xml

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
    <policies>
        <policy id="script-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="twimg" type="host">*.twimg.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="trustedshops" type="host">*.trustedshops.com</value>
                <value id="usercentrics" type="host">*.usercentrics.eu</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="google-recaptcha" type="host">*.google.com</value>
                <value id="googleapis" type="host">*.googleapis.com</value>
                <value id="googleadservices" type="host">*.googleadservices.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="vimeo" type="host">*.vimeo.com</value>
                <value id="paypal-project" type="host">*.paypalobjects.com</value>
                <value id="paypal" type="host">*.paypal.com</value>
                <value id="google-tagmanager" type="host">*.googletagmanager.com</value>
                <value id="cloudflareinsights" type="host">*.cloudflareinsights.com</value>
            </values>
        </policy>
        <policy id="style-src">

How to identify policy ID?

Go to your browser developer console > go to errors > you can see CSP errors.

Example;

[Report Only] Refused to connect to ‘https://www.google-analytics.com/j/collect?v=1&_v=j87&a=950788124&t=pageview&_s=……..’ because it violates the following Content Security Policy directive: “connect-src geostag.cardinalcommerce.com

Note : connect-src is the policy id and cardinalcommerce.com is a domain to whitelist.

</policy>
        <policy id="connect-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="paypal" type="host">*.paypal.com</value>
                <value id="twimg" type="host">*.twimg.com</value>
                <value id="doubleclick" type="host">*.doubleclick.net</value>
                <value id="cardinalcommerce" type="host">*.cardinalcommerce.com</value>
            </values>
        </policy>

Once you added new domain to the whitelist please make sure to follow Step 03

Hope this is helpful to resolve the issue

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version