fjbender
commented
3 years ago Unfortunately, we have not yet taken CSPs into account.
The way I see it, it should be a good first step to add a csp_whitelist.xml file with approximately this content:
<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
<policies>
<policy id="script-src">
<values>
<value id="payone-client-js" type="host">https://secure.pay1.de</value>
<value id="ratepay-dfp-js" type="host">https://d.ratepay.com</value>
</values>
</policy>
<policy id="connect-src">
<values>
<value id="payone-client-api" type="host">https://secure.pay1.de</value>
</values>
</policy>
<policy id="style-src">
<values>
<value id="ratepay-dfp-css" type="host">https://d.ratepay.com</value>
</values>
</policy>
<policy id="img-src">
<values>
<value id="payone-img-cdn" type="host">https://cdn.pay1.de</value>
</values>
</policy>
</policies>
</csp_whitelist>Can you try to add this file as vendor/payone-gmbh/magento-2/etc/csp_whitelist.xml, do the typical refreshes/rebuilds and see, if the errors disappear?
Quick side note: Amazon seems to be listed as an allowed source by Magento defaults - we'd need to check whether that's always the case.
Also it seems like we'd need to whitelist inline scripts as described in this documentation: https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html#whitelist-an-inline-script-or-style. I suppose, I'd need to move that to dev then. But your first tests would be greatly appreciated.
After that is all done, we'd need to add a <csp> block to our etc/config.xml as well, according to this doc https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html#configure-a-modules-csp-mode.
akislawek
Hello Payone team!
I was wondering if you've already tested your extension with Magento v2.4.2? It seems that it's not compatible with the new Content Security Policy (or is it something I'm getting wrong?).