Content security policy issue with 2.4.7 magento version

[kunwarsingh77]

Preconditions and environment

• Magento version - 2.4.7 p1 We are experiencing issues with our custom payment gateway in Magento 2.4.7. The problems are related to the Content Security Policy (CSP) settings and reCAPTCHA timeouts.

Steps Taken to Address the Issue - Updated Content Security Policy (CSP):

I have modified the csp_whitelist.xml to include all necessary script sources such as Stripe, reCAPTCHA, and other third-party services. Ensured all script sources mentioned in the console error were whitelisted.

Issue Details Content Security Policy Error:

The initial issue was a CSP error preventing the Stripe script from loading and my custom payment method not loading at checkout. Error message: Refused to load the script 'https://js.stripe.com/v3/' because it violates the following Content Security Policy directive...

I have added the necessary script sources to csp_whitelist.xml to resolve this error then my payment gateway is loaded on checkout but when we select the payment gateway the stripe form is not loading and it's showing some Recaptcha error with timeout in the console and still showing a CSP error in console as well.

My custom payment gateway of the stripe is working properly with all previous versions of Magento but when I updated to the new 2.4.7 version I am facing this issue.

We seek assistance in understanding if there are any additional steps or configurations required in Magento 2.4.7 to resolve this CSP, especially with custom payment gateways.

Steps to reproduce

Install Magento 2.4.7. Create and configure a custom payment gateway that integrates with Stripe. Ensure the custom payment method is enabled in the Magento Admin panel. Go to checkout with a product open console you will see you custom payment gateway is not showing and there is a CSP error in console

Expected result

after updating the new version of Magento 2.4.7 the custom payment gateway loads properly and there will be no content security policy issue and should have no custom recaptcha issues if it is working with previous version of magentoMagento

Actual result

after updating the new version of Magento 2.4.7 if you have a custom payment gateway then it will not load at checkout and will show a content security policy issue in console

Additional information

No response

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [X] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @kunwarsingh77. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this

• To learn more about issue processing workflow, refer to the Code Contributions.

  Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[m2-assistant[bot]]

Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• [ ] 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• [ ] 5. Add label Issue: Confirmed once verification is complete.
• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[kunwarsingh77]

Hi @engcom-Bravo here are some screenshots of the issue after I whitelisted some URLs in the csp_whitelist file and my payment method loaded. if see screenshot 2 there is recpatcha issue were stripe form have to load and in consle showing csp errors there issue is not coming in previous version and my plugin and custom payment gateway is working properly

[engcom-Bravo]

Hi @kunwarsingh77,

Thanks for your reporting and collaboration.

Stripe Payments Extension that doesn't come along with latest / default Magento installation. Code of this package is not part of https://github.com/magento/magento2 git repository. We are not able to provide fix for it in this repository. All questions, issue reports and fix for them should be addressed to the corresponding extension owners(support) or the Magento Market place page

Thank you.

[kunwarsingh77]

Hi @engcom-Bravo
but the new Magento version is causing the content security policy issue that's why the other extension is not working properly could you please give us some solution or how we can support the CSP issue with the latest version to avoid or remove the CSP issue from the latest version?

[hostep]

You should contact stripe support not Magento support for this. They will be much quicker in helping you out. It seems like their module hasn't implemented yet the needed CSP support for Magento 2.4.7

Also, if you want to see more details in the browsers console, open that arrow next to it, underneath it you should see more details (hopefully).

Also, you could setup a CSP reporting service (here's a free one: https://sansec.watch/), it should give you some feedback about any CSP violations that happen on your shop so you can keep a close watch on it.

Also, if CSP blocks you and you want it resolved urgently, you can temporarily disable it(by configuring it - one, two), or by installing a module, ...), then take your time to try to figure out a solution, implement it and then enable it again.

[kunwarsingh77]

Thanks, i have resolved the issue by following https://developer.adobe.com/commerce/php/development/security/content-security-policies/#page-specific-content-security-policies

[amcguireweb]

Thanks, i have resolved the issue by following https://developer.adobe.com/commerce/php/development/security/content-security-policies/#page-specific-content-security-policies

You resolved the issue by just disabling it. It's unfortunate that Adobe cannot provide sufficient documentation for their software which results in merchants everywhere just disabling CSP. I would bet that more than 90% of all Magento installs are in production with CSP in report only mode, and it's been that way since it was first introduced.

I'm dealing with this same thing. I'm facing inline script errors and every time I add the hash to the csp_whitelist.xml file, a new error with a new hash is thrown. I give up, we'll have to just disable it too.

[stevensagaar]

I have resolved these issues by following this blog article https://www.scommerce-mage.com/blog/magento2-csp-whitelisting.html