Magento, Hyvä Checkout and CSP

Magento 2.4.7

For a long time, CSP has been shipped already in the Magento core (in the form of a module Magento_Csp). However, not everyone liked CSP. The advocates of CSP immediately reply that it is a requirement for PCI compliance, but PCI compliance is not required for every webshop out there. (During a free Yireo webinar on August 30th 2024, we'll explain more about this, with a simple example being the Yireo shop.)

The main thing is that with Magento 2.4.7 (released April 9th) two things changed: First of all, various modules now require the Magento_Csp module to be present, otherwise DI compilation fails. Disabling the Magento_Csp module does not work anymore, removing the module with composer replacements does not work either.

Second, the restrict mode of CSP is enabled on the checkout (or better said: payment pages), plus that same mode restricts the usage of inline scripts. This effectively means that anyone who is using the CSP core module together with third-party additions that are not CSP compatible yet, has a broken checkout. This stirred up discussions in the community for the last couple of months.

Hyvä 1.3.9 is not compatible with CSP

Now comes the annoying thing with Hyvä: It's latest release 1.3.9 (at the time of this writing) is not compatible with these latest CSP changes - as far as I see. The changelogs reveal that some work on CSP was done in the past. But specifically, the inline scripts are a big issue: With Hyvä, Alpine scripts are inline by default and every single one of those scripts are marked by Magento as risky (leaving a JavaScript warning in the error console, when the CSP reporting mode is on).

Adding to this, the Magento 2.4.7 release turned off the reporting mode in the checkout (as mentioned above), which means that a typical Hyvä Checkout installation is broken. A huge bummer.

Workarounds

There are workarounds though. First of all, the reporting mode could be turned on again in the checkout by programmatically extending the configuration (for example, adding lines to app/etc/env.php). Second, there are still ways to disable CSP anyway. For instance, I created a simple Yireo_DisableCsp module, but there are alternatives as well.

However, turning off CSP is not always an option. Again, if your shop needs to be PCI compliant (and I'm not diving into the details of that here) then you will need to have CSP enabled. And if you have CSP enabled, you need a fix for Hyvä it's inline scripts, especially if you are using the Hyvä Checkout.

My own Google Tag Manager extension

I had the same issue with my Yireo_GoogleTagManager2 extension. Because I realized that disabling CSP is just a temporary fix, I sat down to come up with a better solution. The simple approach was to go through every single script shipped with my module and make it CSP-compliant (nonces, $secureRenderer, etc). However, I was annoyed by this approach because I needed to do this 12 times or so, and I'd like to see myself as lazy.

So I created a generic solution instead: First of all, in the GoogleTagManager, by simply converting any inline script in any template into a CSP nonce-based script.

Yireo CspWhitelistInlineJs works for Hyvä too

I then extracted the same functionality to a generic module - Yireo_CspWhitelistInlineJs - and quickly found out that this fixed any CSP issue with inline scripts with any module I tried. This included the Hyvä Checkout as well.

In other words, my Yireo_CspWhitelistInlineJs module could be used with Hyvä / Hyvä Checkout installations where CSP needs to be enabled to be PCI-compliant. Problem solved. And no breaking changes.

There are some theoretical downsides to this automated approach, which I'll discuss in another blog. Also, there are other similar solutions as well, most of them paid - you're welcome.

What is next?

Currently, Hyvä is investigating its own solution. Perhaps it is based on my own solution, perhaps it is done differently. Stay tuned for that.

However, I personally think that a lot of developers - me, Hyvä, other module vendors - overlooked the importance of CSP in the past. Also, the fact that Hyvä has not brought a solution in four months time (since the release of Magento 2.4.7 in April till now) causes me to say that the strategy towards CSP needs to change.

A Yireo webinar

This story is actually just one of many out there when it comes to CSP. The CSP technology (including the modifications needing to be made in Magento) is quite diverse, and it quickly leads to discussions. To initiate further discussions, Yireo is organizing a free webinar on August 30th.

You're welcome to join. Just make sure to register in advance: /webinar/2024-magento-csp