background

August 10, 2024

Yireo CSP whitelisting module for Magento

Yireo Blog Post

Magento 2.4.7 enforces CSP in the checkout by default. You could, of course, put work in undoing that - installing modules, changing the configuration, etc. Alternatively, you could try using my free Yireo_CspWhitelistInlineJs module to fix things without disabling CSP.

Quick intro to Magento 2.4.7 its CSP change

A CSP module already shipped with Magento for years, allowing for shop security to be increased ... optionally, because you still needed to disable the reporting mode, thus enabling the restrictive mode of CSP. Magento 2.4.7 came with breaking changes: It added inline JS scripts to the CSP policy list, meaning that inline JS scripts in the Magento HTML would need to be whitelisted somehow. In general, the third party extensions and custom work that you add to Magento, would need to support CSP and specifically whitelist their own inline scripts.

On top of this, the same Magento release disabled the reporting mode, thus enabling the restrictive mode, in the checkout. And on top of this, the release also made it impossible to disable the core CSP module (due to code dependencies).

An easy fix with the Yireo CspWhitelistInlineJs module

My Yireo_CspWhitelistInlineJs offers an easy fix for this: It scans the output of any kind of PHTML templates (so the HTML of blocks), scans it for script-tags and adds CSP nonces per script-tag. Install the module, enable the module and things are fixed.

As of yet, the Hyvä Checkout also the same issue: Inline scripts are not whitelisted, thus with Magento 2.4.7, the checkout is broken - unless you do something about it. My Magento module fixes things in Hyvä too without a fuzz.

The trust issue

There are some catches though: The very purpose of having extensions whitelist their own inline scripts is so that inline scripts that can be trusted are trusted, and inline scripts that are not trusted by anyone are not whitelisted. With my module, everything is bluntly whitelisted.

Imagine that the database is hacked and an inline script is added to some kind of CMS output, leading to XSS attacks. With my module, such an inline script could be allowed, which is obviously very bad. (Note that by default, CMS blocks and CMS pages are not output by template, so my module does not pick those scripts up - but things could change here.) A manual fix per script per template would prevent this biting you, even though it is costing you time.

(Another remark about my extension: It allows logging. So if you enable it, you could enable the CSP reporting mode, but also enable the logging. After running this for a while, review the log and see if there is something you want to fix differently.)

The nonce issue

Another issue is that the scripts are whitelisted by using nonces. The very word nonce suggests that it is only used a single time. However, my module adds nonces to any PHTML template, including those templates that are going to be cached. Theoretically, cached templates with scripts should have had their nonces refreshed per page. However, on a practical level, caching nonces is actually just fine, because exploits with cached nonces are pretty tricky. Still, different solutions might be needed here (even though adding nonces to scripts is part of the official Magento CSP solution).

A Yireo webinar

This story is actually just one of many out there, when it comes to CSP. The CSP technology (including the modifications needing to be made in Magento) is quite diverse and it quickly leads to discussions. To initiate further discussions, Yireo is organizing a free webinar on August 30th.

You're welcome to join. Just make sure to register in advance: /webinar/2024-magento-csp

Posted on August 10, 2024

Join our free webinar on August 30th on implementing CSP in Magento and whether you should deal with it or not

Preregister now

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.