search

amzn / amazon-payments-magento-2-plugin

Extension to enable Amazon Pay on Magento 2
https://amzn.github.io/amazon-payments-magento-2-plugin/
Apache License 2.0
108 stars 75 forks source link

Germany csp_whitelist.xml #960

Closed daniel-ifrim closed 3 years ago

daniel-ifrim commented 3 years ago

What I expected

No error in browser console (Chorme)

What happened instead

Missing entries in csp_whitelist.xml for amazon.de (including the subdomain of clouldfront.net used by Amazon Payment) https://github.com/amzn/amazon-payments-magento-2-plugin/blob/master/src/Payment/etc/csp_whitelist.xml

Steps to reproduce the issue

Go to checkout, Germany API keys and Germany selected in admin > Configuration > Payment Methods.

Your setup

Magento version: 2.3.5 Amazon Pay Extension Version: 3.7.2 Magento Edition: Community JavaScript Console:

[Report Only] Refused to load the image 'https://d23yuld0pofhhw.cloudfront.net/default/de/en_GB/sandbox/lwa/gold/medium/LwA.png' because it violates the following Content Security Policy directive: "img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net *.ssl-images-amazon.com *.ssl-images-amazon.co.uk *.ssl-images-amazon.co.jp *.ssl-images-amazon.jp *.ssl-images-amazon.it *.ssl-images-amazon.fr *.ssl-images-amazon.es *.media-amazon.com *.media-amazon.co.uk *.media-amazon.co.jp *.media-amazon.jp *.media-amazon.it *.media-amazon.fr *.media-amazon.es 'self' 'unsafe-inline'".

/checkout/#shipping:1 [Report Only] Refused to load the image 'https://d23yuld0pofhhw.cloudfront.net/default/de/en_GB/sandbox/lwa/gold/medium/PwA.png' because it violates the following Content Security Policy directive: "img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net *.ssl-images-amazon.com *.ssl-images-amazon.co.uk *.ssl-images-amazon.co.jp *.ssl-images-amazon.jp *.ssl-images-amazon.it *.ssl-images-amazon.fr *.ssl-images-amazon.es *.media-amazon.com *.media-amazon.co.uk *.media-amazon.co.jp *.media-amazon.jp *.media-amazon.it *.media-amazon.fr *.media-amazon.es 'self' 'unsafe-inline'".
[Report Only] Refused to send form data to 'https://payments.amazon.de/checkout/widgets/v2/addressBook' because it violates the following Content Security Policy directive: "form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es 'self' 'unsafe-inline'".

[Report Only] Refused to frame 'https://payments.amazon.de/' because it violates the following Content Security Policy directive: "frame-src 'self' geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es".

[Report Only] Refused to frame 'https://payments.amazon.de/' because it violates the following Content Security Policy directive: "frame-src 'self' geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es".

[Report Only] Refused to connect to 'https://payments.amazon.de/checkout/logout?coe=DE&env=SANDBOX&mID=A2YSDT4SI7LF6P' because it violates the following Content Security Policy directive: "connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazonpay.com *.amazonpay.co.uk *.amazonpay.co.jp *.amazonpay.jp *.amazonpay.it *.amazonpay.fr *.amazonpay.es mws.amazonservices.com mws.amazonservices.co.uk mws.amazonservices.co.jp mws.amazonservices.jp mws.amazonservices.it mws.amazonservices.fr mws.amazonservices.es 'self' 'unsafe-inline'".
zichicc commented 3 years ago

Hi @daniel-ifrim , Thanks for catching that. We have solved it here https://github.com/amzn/amazon-payments-magento-2-plugin/pull/963 and we'll release version 3.7.3 soon, including the fix. I will let you know once it is done.

Thanks Best

Christian

zichicc commented 3 years ago

Hi @daniel-ifrim , thanks for your patience. Version 3.7.3 contain a fix for this issue. You can find updated patch instructions here: https://github.com/amzn/amazon-payments-magento-2-plugin/blob/3.0.x/PATCH_INSTRUCTIONS.MD

Thanks Best

Christian

daniel-ifrim commented 3 years ago

@christianzichichi Thank you for your fix. I still get a report only in browser:

[Report Only] Refused to load the image 'https://d23yuld0pofhhw.cloudfront.net/default/de/en_GB/sandbox/lwa/gold/medium/LwA.png' because it violates the following Content Security Policy directive: "img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com .ftcdn.net .behance.net data: www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com .vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net .ssl-images-amazon.com .ssl-images-amazon.co.uk .ssl-images-amazon.co.jp .ssl-images-amazon.jp .ssl-images-amazon.it .ssl-images-amazon.fr .ssl-images-amazon.es .ssl-images-amazon.de .media-amazon.com .media-amazon.co.uk .media-amazon.co.jp .media-amazon.jp .media-amazon.it .media-amazon.fr .media-amazon.es *.media-amazon.de yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'".

I don't know if it's necessary to have this in the extension's code. I am running the extension in sandbox mode. I don't know if https://d23yuld0pofhhw.cloudfront.net/ is for sandbox of for live mode. Added this in csp_whitelist.xml and it fixed my issue:

    <policy id="img-src">
            <values>
                ...
                <value id="amazon_cloudfront23" type="host">d23yuld0pofhhw.cloudfront.net</value>
                ...
            </values>
        </policy>
jajajaime commented 3 years ago

Hi @daniel-ifrim,

We've created the above PR to include this cloudfront entry, and will be merged soon.

Thank you for reporting!