Closed daniel-ifrim closed 3 years ago
Hi @daniel-ifrim , Thanks for catching that. We have solved it here https://github.com/amzn/amazon-payments-magento-2-plugin/pull/963 and we'll release version 3.7.3 soon, including the fix. I will let you know once it is done.
Thanks Best
Christian
Hi @daniel-ifrim , thanks for your patience. Version 3.7.3 contain a fix for this issue. You can find updated patch instructions here: https://github.com/amzn/amazon-payments-magento-2-plugin/blob/3.0.x/PATCH_INSTRUCTIONS.MD
Thanks Best
Christian
@christianzichichi Thank you for your fix. I still get a report only in browser:
[Report Only] Refused to load the image 'https://d23yuld0pofhhw.cloudfront.net/default/de/en_GB/sandbox/lwa/gold/medium/LwA.png' because it violates the following Content Security Policy directive: "img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com .ftcdn.net .behance.net data: www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com .vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net .ssl-images-amazon.com .ssl-images-amazon.co.uk .ssl-images-amazon.co.jp .ssl-images-amazon.jp .ssl-images-amazon.it .ssl-images-amazon.fr .ssl-images-amazon.es .ssl-images-amazon.de .media-amazon.com .media-amazon.co.uk .media-amazon.co.jp .media-amazon.jp .media-amazon.it .media-amazon.fr .media-amazon.es *.media-amazon.de yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'".
I don't know if it's necessary to have this in the extension's code.
I am running the extension in sandbox mode. I don't know if https://d23yuld0pofhhw.cloudfront.net/ is for sandbox of for live mode.
Added this in csp_whitelist.xml
and it fixed my issue:
<policy id="img-src">
<values>
...
<value id="amazon_cloudfront23" type="host">d23yuld0pofhhw.cloudfront.net</value>
...
</values>
</policy>
Hi @daniel-ifrim,
We've created the above PR to include this cloudfront entry, and will be merged soon.
Thank you for reporting!
What I expected
No error in browser console (Chorme)
What happened instead
Missing entries in csp_whitelist.xml for amazon.de (including the subdomain of clouldfront.net used by Amazon Payment) https://github.com/amzn/amazon-payments-magento-2-plugin/blob/master/src/Payment/etc/csp_whitelist.xml
Steps to reproduce the issue
Go to checkout, Germany API keys and Germany selected in admin > Configuration > Payment Methods.
Your setup
Magento version: 2.3.5 Amazon Pay Extension Version: 3.7.2 Magento Edition: Community JavaScript Console: