[2.3.5][Magento_Csp] Content-Security-Policy header is too large

Preconditions (*)

Magento CE/EE 2.3.5 with Sample Data (composer installation)
Nginx 1.17.10 / FPM (PHP 7.3.16).
Default Nginx config used (nginx.conf.sample)

Steps to reproduce (*)

Navigate to URL: /women/tops-women.html

Expected result (*)

Category should open without any issues

Actual result (*)

Error - Nginx: 502 Bad Gateway.
Nginx logs:

upstream sent too big header while reading response header from upstream.

Actually this happens to many different pages. After some investigation and comparing with 2.3.4 installation I have found that module "Magento_Csp" addding extra large header "Content-Security-Policy" or "Content-Security-Policy-Report-Only" , which broke default Nginx limits for header size (4k).

Just to compare, here is response headers added by Magento in 2.3.4 / 2.3.5 for same Women/Tops category:

2.3.4: ~ 2.9k in size (because of product cache tags)

[
"X-Powered-By: PHP\/7.3.16",
"Set-Cookie: mage-cache-sessid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=\/",
"Set-Cookie: PHPSESSID=3e3b551e44eff750b888b718a1080043; expires=Mon, 04-May-2020 11:08:41 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure; HttpOnly",
"Set-Cookie: form_key=XUgokXJjBnndASPS; expires=Mon, 04-May-2020 11:08:41 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure",
"Pragma: cache",
"Cache-Control: max-age=86400, public, s-maxage=86400",
"Expires: Tue, 05 May 2020 10:08:42 GMT",
"X-Magento-Tags: store,cms_b,cms_b_1,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1082,cat_p,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1274,cat_p_1259,cat_p_1260,cat_p_1261,cat_p_1262,cat_p_1263,cat_p_1264,cat_p_1265,cat_p_1266,cat_p_1267,cat_p_1268,cat_p_1269,cat_p_1270,cat_p_1271,cat_p_1272,cat_p_1273,cat_p_1450,cat_p_1435,cat_p_1436,cat_p_1437,cat_p_1438,cat_p_1439,cat_p_1440,cat_p_1441,cat_p_1442,cat_p_1443,cat_p_1444,cat_p_1445,cat_p_1446,cat_p_1447,cat_p_1448,cat_p_1449,cat_p_1498,cat_p_1483,cat_p_1484,cat_p_1485,cat_p_1486,cat_p_1487,cat_p_1488,cat_p_1489,cat_p_1490,cat_p_1491,cat_p_1492,cat_p_1493,cat_p_1494,cat_p_1495,cat_p_1496,cat_p_1497,cat_p_1514,cat_p_1499,cat_p_1500,cat_p_1501,cat_p_1502,cat_p_1503,cat_p_1504,cat_p_1505,cat_p_1506,cat_p_1507,cat_p_1508,cat_p_1509,cat_p_1510,cat_p_1511,cat_p_1512,cat_p_1513,cat_p_1594,cat_p_1579,cat_p_1580,cat_p_1581,cat_p_1582,cat_p_1583,cat_p_1584,cat_p_1585,cat_p_1586,cat_p_1587,cat_p_1588,cat_p_1589,cat_p_1590,cat_p_1591,cat_p_1592,cat_p_1593,cat_p_1754,cat_p_1739,cat_p_1740,cat_p_1741,cat_p_1742,cat_p_1743,cat_p_1744,cat_p_1745,cat_p_1746,cat_p_1747,cat_p_1748,cat_p_1749,cat_p_1750,cat_p_1751,cat_p_1752,cat_p_1753,cat_p_1802,cat_p_1787,cat_p_1788,cat_p_1789,cat_p_1790,cat_p_1791,cat_p_1792,cat_p_1793,cat_p_1794,cat_p_1795,cat_p_1796,cat_p_1797,cat_p_1798,cat_p_1799,cat_p_1800,cat_p_1801,cat_p_1050,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215",
"X-Magento-Debug: 1",
"X-Content-Type-Options: nosniff",
"X-XSS-Protection: 1; mode=block",
"X-Frame-Options: SAMEORIGIN"
]

2.3.5: ~ 4.9k in size (because of product cache tags + csp)

[
"X-Powered-By: PHP\/7.3.16",
"Set-Cookie: mage-cache-sessid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=\/",
"Set-Cookie: PHPSESSID=ad946a72224b9800ae7fc97789e7a223; expires=Mon, 04-May-2020 09:13:21 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure; HttpOnly",
"Set-Cookie: form_key=dh78SLda7p7MFjOR; expires=Mon, 04-May-2020 09:13:21 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure",
"Pragma: cache",
"Cache-Control: max-age=86400, public, s-maxage=86400",
"Expires: Tue, 05 May 2020 08:13:23 GMT",
"X-Magento-Tags: store,cms_b,cms_b_1,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1082,cat_p,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1274,cat_p_1259,cat_p_1260,cat_p_1261,cat_p_1262,cat_p_1263,cat_p_1264,cat_p_1265,cat_p_1266,cat_p_1267,cat_p_1268,cat_p_1269,cat_p_1270,cat_p_1271,cat_p_1272,cat_p_1273,cat_p_1450,cat_p_1435,cat_p_1436,cat_p_1437,cat_p_1438,cat_p_1439,cat_p_1440,cat_p_1441,cat_p_1442,cat_p_1443,cat_p_1444,cat_p_1445,cat_p_1446,cat_p_1447,cat_p_1448,cat_p_1449,cat_p_1498,cat_p_1483,cat_p_1484,cat_p_1485,cat_p_1486,cat_p_1487,cat_p_1488,cat_p_1489,cat_p_1490,cat_p_1491,cat_p_1492,cat_p_1493,cat_p_1494,cat_p_1495,cat_p_1496,cat_p_1497,cat_p_1514,cat_p_1499,cat_p_1500,cat_p_1501,cat_p_1502,cat_p_1503,cat_p_1504,cat_p_1505,cat_p_1506,cat_p_1507,cat_p_1508,cat_p_1509,cat_p_1510,cat_p_1511,cat_p_1512,cat_p_1513,cat_p_1594,cat_p_1579,cat_p_1580,cat_p_1581,cat_p_1582,cat_p_1583,cat_p_1584,cat_p_1585,cat_p_1586,cat_p_1587,cat_p_1588,cat_p_1589,cat_p_1590,cat_p_1591,cat_p_1592,cat_p_1593,cat_p_1754,cat_p_1739,cat_p_1740,cat_p_1741,cat_p_1742,cat_p_1743,cat_p_1744,cat_p_1745,cat_p_1746,cat_p_1747,cat_p_1748,cat_p_1749,cat_p_1750,cat_p_1751,cat_p_1752,cat_p_1753,cat_p_1802,cat_p_1787,cat_p_1788,cat_p_1789,cat_p_1790,cat_p_1791,cat_p_1792,cat_p_1793,cat_p_1794,cat_p_1795,cat_p_1796,cat_p_1797,cat_p_1798,cat_p_1799,cat_p_1800,cat_p_1801,cat_p_1050,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215",
"X-Magento-Debug: 1",
"Content-Security-Policy-Report-Only: font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';",
"X-Content-Type-Options: nosniff",
"X-XSS-Protection: 1; mode=block",
"X-Frame-Options: SAMEORIGIN"
]

As you can see, in 2.3.5, CSP adding about 2K in size to all response headers / all requests by default. Actually someone could say that it is easy fix, just to increase limits in Nginx to at least 6k, like this:

fastcgi_buffers 1024 6k;
fastcgi_buffer_size 6k;

But in this case you would need to also adjust limits in all involved proxies, like nginx ssl offloaders or others, like Kubernetes Nginx Ingress.

And it will not fix the core issue - looks like CSP module adding all merged rules as header to all requests. And potentially it could grow in size in future.

Example (same Women/Tops category page) :

cardinalcommerce.com
sandbox.paypal.com
test.authorize.net
e.t.c.

All of this is not actually required on category page. Looks like it is better to generate different rule pools per page type, rather than global pool for all...

You can read more about such limits:

Hi @IgorVitol. Thank you for your report. To help us process this issue please make sure that you provided the following information:

[ ] Summary of the issue
[ ] Information on your environment
[ ] Steps to reproduce
[ ] Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

@IgorVitol do you confirm that you were able to reproduce the issue on vanilla Magento instance following steps to reproduce?

[ ] yes
[ ] no

Join Magento Community Engineering Slack and ask your questions in #github channel.

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
Details
If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.
[ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop branch
Details
- Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

:white_check_mark: Confirmed by @engcom-Delta Thank you for verifying the issue. Based on the provided information internal tickets MC-34157 were created

Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

Hi every one, I have a problem when i lanch my website magento 2.3.5-1 on locale with MySQL

i have in console all this The Content Security Policy 'font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. localhost/:1 [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Work+Sans:400,700.less' because it violates the following Content Security Policy directive: "style-src getfirebug.com 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

localhost/:1 [Report Only] Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

api.js:1 [Report Only] Refused to load the script 'https://www.gstatic.com/recaptcha/releases/-wV2EAWEOTlEtZh4vNQtn3H1/recaptcha__fr.js' because it violates the following Content Security Policy directive: "script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ api.js:1 (anonymous) @ api.js:1 DevTools failed to load SourceMap: Could not load content for chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/include.preload.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME 6[Report Only] Refused to load the font '' because it violates the following Content Security Policy directive: "font-src 'self' 'unsafe-inline'".

DevTools failed to load SourceMap: Could not load content for chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/include.postload.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME 5Refused to execute script from '' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. require.js:166 Uncaught Error: Script error for: js/theme http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: mage/backend/bootstrap http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: mage/adminhtml/globals http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: Magento_Catalog/catalog/product http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:333 (anonymous) @ requirejs-config.js:334 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: jquery http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681)

How Can-i resolve it?? Help please!

@medhassenkhatteche

How Can-i resolve it?? Help please!

Try to avoid copy-pasting an unformatted and unfiltered text/logs from the console/anywhere. This might help people not to lose their desire to help while scrolling down such comments. Most of the text you copied is some log from a chrome extension wich is completely unrelevant.

Read about CSP here: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

You can just disable Magento_Csp entirely since in its current state it gives a false sense of security. See https://maxchadwick.xyz/blog/magento-2-3-5-csp-fools-errand + https://maxchadwick.xyz/blog/magento-disable-csp for more info.

Hello guys You can use this module to fix this issue. https://github.com/Anantkprajapati/AKP_CSP Let me know if you required more information

Hello Guys, already working on this issue. Try following module; rules for CSP are stored in DB https://github.com/flancer32/mage2_ext_csp

Hi @nathanjosiah. Thank you for working on this issue. Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
1. Verify that the issue is reproducible on 2.4-develop branch
  Details
  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
1. If the issue is not relevant or is not reproducible any more, feel free to close it.

Join Magento Community Engineering Slack and ask your questions in #github channel.

Hello everyone!

In regards to the size of the CSP headers, we are aware that it is a problem for some of our customers. We are investigating our options for how we can address this specific issue. However, as some of you have already noticed, this isn't simply from CSP alone and the Magento cache tags are also playing a big part in the total size of the headers.

As for those of you that are commenting on the overall effectiveness of CSP and simply disabling the module and referencing https://maxchadwick.xyz/blog/magento-2-3-5-csp-fools-errand this is Magento's official response:

With security of an application, we do understand that every customer has different perspective and preference on implementation and support of security features. While some researchers feel strict-dynamic approach is hard to maintain and whitelist approach is easier, some feel vice versa. As of Magento 2.3.5, Magento CSP API does supports both whitelist and strict-dynamic setting so a merchant can set up their CSP in any way they want - whitelist or dynamic. In the upcoming 2.4.0, we will be removing “unsafe-inline” from allowed resources from both “style-src” and “script-src” directives to improve anti-XSS protection and in future we will turn on enforcement mode by default and further improve our CSP offering. With these steps we hope to prevent most card skimmers from doing any harm.

CSP should be considered as another layer of protection for the webstore and not the only line of defense. We understand that CSP will not stop attackers from exploiting every vulnerability on the webstore, but it does stop browsers from executing injected malicious scripts. Magento is continuously invested in adding additional security tools such 2FA by default, anti-CSRF, anti-XSS and many other common vulnerability controls in our product. We are not solely relying on the whitelisting approach provided by CSP, but also continually evaluating robust, next-generation solutions that would provide more granular control over third party code.

We would like any feedback or suggestions on how we can make our product more secure for you.

Hi! Adding few notes.

In M2.4.0 with sample data installed, same Women/Tops category response headers total size increased again. And now it is bigger than 6k - you have to keep this in mind while adding any kind of workarounds. As I see, Magento team has "fixed" this by changing default nginx configuration to use 32k buffer. Hope that it is just a temporary fix.

Headers example (M2.4.0, Women/Tops category):

Array
(
  [0] => X-Powered-By: PHP/7.4.8
  [1] => Set-Cookie: PHPSESSID=e15a6af4820f9bfda2e4eef82dd667d8; expires=Mon, 17-Aug-2020 06:42:23 GMT; Max-Age=3600; path=/; domain=magento2.local; secure; HttpOnly
  [2] => Set-Cookie: form_key=GSFXrkQwrholQWbd; expires=Mon, 17-Aug-2020 06:42:24 GMT; Max-Age=3600; path=/; domain=magento2.local; secure
  [3] => Pragma: cache
  [4] => Cache-Control: max-age=86400, public, s-maxage=86400
  [5] => Expires: Tue, 18 Aug 2020 05:42:24 GMT
  [6] => X-Magento-Tags: store,cms_b,cms_b_2,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1050,cat_p,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1066,cat_p_1051,cat_p_1052,cat_p_1053,cat_p_1054,cat_p_1055,cat_p_1056,cat_p_1057,cat_p_1058,cat_p_1059,cat_p_1060,cat_p_1061,cat_p_1062,cat_p_1063,cat_p_1064,cat_p_1065,cat_p_1082,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1098,cat_p_1083,cat_p_1084,cat_p_1085,cat_p_1086,cat_p_1087,cat_p_1088,cat_p_1089,cat_p_1090,cat_p_1091,cat_p_1092,cat_p_1093,cat_p_1094,cat_p_1095,cat_p_1096,cat_p_1097,cat_p_1114,cat_p_1099,cat_p_1100,cat_p_1101,cat_p_1102,cat_p_1103,cat_p_1104,cat_p_1105,cat_p_1106,cat_p_1107,cat_p_1108,cat_p_1109,cat_p_1110,cat_p_1111,cat_p_1112,cat_p_1113,cat_p_1120,cat_p_1115,cat_p_1116,cat_p_1117,cat_p_1118,cat_p_1119,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1152,cat_p_1137,cat_p_1138,cat_p_1139,cat_p_1140,cat_p_1141,cat_p_1142,cat_p_1143,cat_p_1144,cat_p_1145,cat_p_1146,cat_p_1147,cat_p_1148,cat_p_1149,cat_p_1150,cat_p_1151,cat_p_1168,cat_p_1153,cat_p_1154,cat_p_1155,cat_p_1156,cat_p_1157,cat_p_1158,cat_p_1159,cat_p_1160,cat_p_1161,cat_p_1162,cat_p_1163,cat_p_1164,cat_p_1165,cat_p_1166,cat_p_1167,cat_p_1184,cat_p_1169,cat_p_1170,cat_p_1171,cat_p_1172,cat_p_1173,cat_p_1174,cat_p_1175,cat_p_1176,cat_p_1177,cat_p_1178,cat_p_1179,cat_p_1180,cat_p_1181,cat_p_1182,cat_p_1183,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215
  [7] => X-Magento-Debug: 1
  [8] => Content-Security-Policy-Report-Only: font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.googletagmanager.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net *.ssl-images-amazon.com *.ssl-images-amazon.co.uk *.ssl-images-amazon.co.jp *.ssl-images-amazon.jp *.ssl-images-amazon.it *.ssl-images-amazon.fr *.ssl-images-amazon.es *.media-amazon.com *.media-amazon.co.uk *.media-amazon.co.jp *.media-amazon.jp *.media-amazon.it *.media-amazon.fr *.media-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com secure.authorize.net test.authorize.net www.googleadservices.com www.google-analytics.com www.paypalobjects.com js.braintreegateway.com www.paypal.com www.sandbox.paypal.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.youtube.com www.googletagmanager.com *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazonpay.com *.amazonpay.co.uk *.amazonpay.co.jp *.amazonpay.jp *.amazonpay.it *.amazonpay.fr *.amazonpay.es mws.amazonservices.com mws.amazonservices.co.uk mws.amazonservices.co.jp mws.amazonservices.jp mws.amazonservices.it mws.amazonservices.fr mws.amazonservices.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; child-src http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';
  [9] => X-Content-Type-Options: nosniff
  [10] => X-XSS-Protection: 1; mode=block
  [11] => X-Frame-Options: SAMEORIGIN
)

However, as some of you have already noticed, this isn't simply from CSP alone and the Magento cache tags are also playing a big part in the total size of the headers.

@nathanjosiah Have you though about dividing whole CSP list and retrieve only relevant domains for specific page? As I said before:

Example (same Women/Tops category page) :

cardinalcommerce.com sandbox.paypal.com test.authorize.net e.t.c.

All of this is not actually required on category page.

@IgorVitol It's an interesting proposal. As I said, we would like to explore this idea further but I definitely see this being a tricky thing to implement because of how asset chains can be loaded. With core magento it is currently impossible to know which client-side assets are possible to be loaded on a given page which would make it impossible to accurately determine which policies would be needed for a given page. It's possible the effort with https://github.com/magento/baler would improve this ability but I fear that it would never be good enough to rely on it since the consequence for missing a policy would be a broken page.

We are welcoming all feedback for ideas on how to improve this feature!

@nathanjosiah I believe we can start with checking production vs test mode and if payment method is enabled. For instance if authorize.net isn't enabled on the website - let's not add his domains at all, if it is enabled in "production" mode - let's add only production domain(s), if it's in sandbox mode - lets add only sandbox domains. All this info for sure could be provided by extensions. The same for cardinal commerce, etc.

Currently I see API for providing list of needed headers declared in xml, it means that we can't add any checks when these domains should be added.

What do you thing?

I think it could be related to the website server configuration. https://websiteforstudents.com/resolved-400-bad-request-request-header-or-cookie-too-large-via-nginx/

For nginx,

server {
    # ...
    large_client_header_buffers 4 16k;
    # ...
}

Still present in 2.4.2-p1. Had enormous crashes with both Redis and File storage cache after upgrade from 2.3.3 to 2.4.2-p1. Once CSP is disabled, the RAM does not get bashed.

This issue would happen when Catalog Search index was running (if anybody needs to know how to test it quickly)

In our case, X-Magento-Tags is the biggest culprit in one site which does not use Varnish. Is there a way to disable output of the X-Magento-Tags header and related headers if you don't use Varnish?

It doesn't seem right for those headers to leak to the internet - not that that's such a big security issue but still, I feel like best practice is to allow as few headers as possible to be present in responses.

@ToonSpinISAAC: I have the feeling that the following PR might solve your issue: https://github.com/magento/magento2/pull/33468

Thanks for the tip @hostep! I'll pass it on to our devs, I think you're right.

Based on the previous comments and the absence of other discussions, I assume the problem was resolved in the scope of PR. from https://github.com/magento/magento2/issues/28102#issuecomment-1000793814

Feel free to create a new issue or reopen this one if it's still actual on the latest code base

2.4.5-p1 still present:

Content-Security-Policy-Report-Only: 3875 chars

We at @basecom have recently released a plugin specifically designed to solve the problem of oversized Content Security Policy headers. If you've ever encountered the problem of a single CSP header exceeding the maximum allowed size, our plugin can help. The Magento 2 CSP Split Header plugin splits the CSP header into multiple CSP headers so that the problem of an oversized header field can be avoided.

magento / magento2