wucherpfennig
commented
3 years ago We are facing the same issue. Did you find a solution?
Open sr33rajv opened 3 years ago
wucherpfennig
commented
3 years ago We are facing the same issue. Did you find a solution?
jotalops
commented
3 years ago the only way I found is to modfy the class AddContentSecurityPolicyListener ( using service overwriting ) and the method public function addCspHeaders(FilterResponseEvent $event): void there you can put what you need, I need images con cloudinary and I have to put this
$policy = sprintf(
"default-src 'self' *.akeneo.com 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-%s'; img-src 'self' *.cloudinary.com data: ; frame-src * ; font-src 'self' data:",
$this->generatedNonce
);
Fatma3011
commented
2 years ago I didn't find solution, if you find one, share it please.
Refused to connect to 'http://akeneo.webteambut.fr/_wdt/49374e' because it violates the following Content Security Policy directive: "default-src 'self' *.akeneo.com 'unsafe-inline'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
jotalops
commented
2 years ago did you try what I've suggested?
Fatma3011
commented
2 years ago yes i did, but still the same error :(
jotalops
commented
2 years ago and you clear the cache with : make cache
?
jotalops
commented
2 years ago also you have to override the original yml service declaration with your service ( or modify directly the file in /vendor for testing only )
in my case I've override with this class: class: Roca\CommonBundle\EventListener\AddContentSecurityPolicyListener
and the declaration is like this ---- services.yml -------
security.event_listener.add_csp: class: Roca\CommonBundle\EventListener\AddContentSecurityPolicyListener arguments:
Fatma3011
commented
2 years ago this code already exists, I really don't know in which class I have to make changes for "Content-Security-Policy"
Fatma3011
commented
2 years ago how can i clear cache for dev environment akeneo
jotalops
commented
2 years ago make cache
sureshtakeda
commented
1 year ago any update on this?
Username070
commented
6 months ago Found this post while searching for "Akeneo adding new content security policy". Answer from @jotalops is somewhat right, but found a better solution.
AddContentSecurityPolicyListener.php is responsible for adding headers on every response event, but overriding it is not the best way to add your own policies. Instead i took a deeper look around and found this class ContentSecurityPolicyProvider.php. It basically gets every policy provider, calls theirs getContentSecurityPolicy method and merges the policies. Later on it merges the policies into one big string which is then returned to the previous AddContentSecurityPolicyListener.php class and set for the required headers.
So my way of adding my own img-src consists of making new provider and returning a string which then is merged with the original policy. By doing this the original service is kept intact.
Create a provider service which implements ContentSecurityPolicyProviderInterface interface. That class should implement method getContentSecurityPolicy and return something like this:
public function getContentSecurityPolicy(): array
{
return [
'img-src' => ['https://mydomain.com'],
];
}The service needs to be tagged with akeneo.pim.security.content_security_policy_provider. So in the end it should look like this:
pim.my_content_security_policy_provider:
class: '%pim.my_content_security_policy_provider.class%'
tags:
- { name: akeneo.pim.security.content_security_policy_provider }Be sure to clear cache and restart the page. The provider should be automatically injected into ContentSecurityPolicyProvider.php. The ContentSecurityPolicyProvider.php builds the policy string which is later set by AddContentSecurityPolicyListener.php for required headers.
Hello, We have a Content security policy issue on Akeneno version 4.x.
Let me know if anyone can help with this.
Thanks