Closed kunwarsingh77 closed 4 months ago
Hi @kunwarsingh77. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release@magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.
Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
Area: XXXXX
label to the ticket, indicating the functional areas it may be related to.2.4-develop
branch@magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure. 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.Issue: Confirmed
once verification is complete. Hi @engcom-Bravo here are some screenshots of the issue after I whitelisted some URLs in the csp_whitelist file and my payment method loaded. if see screenshot 2 there is recpatcha issue were stripe form have to load and in consle showing csp errors there issue is not coming in previous version and my plugin and custom payment gateway is working properly
Hi @kunwarsingh77,
Thanks for your reporting and collaboration.
Stripe Payments Extension that doesn't come along with latest / default Magento installation. Code of this package is not part of https://github.com/magento/magento2 git repository. We are not able to provide fix for it in this repository. All questions, issue reports and fix for them should be addressed to the corresponding extension owners(support) or the Magento Market place page
Thank you.
Hi @engcom-Bravo
but the new Magento version is causing the content security policy issue that's why the other extension is not working properly
could you please give us some solution or how we can support the CSP issue with the latest version to avoid or remove the CSP issue from the latest version?
You should contact stripe support not Magento support for this. They will be much quicker in helping you out. It seems like their module hasn't implemented yet the needed CSP support for Magento 2.4.7
Also, if you want to see more details in the browsers console, open that arrow next to it, underneath it you should see more details (hopefully).
Also, you could setup a CSP reporting service (here's a free one: https://sansec.watch/), it should give you some feedback about any CSP violations that happen on your shop so you can keep a close watch on it.
Also, if CSP blocks you and you want it resolved urgently, you can temporarily disable it(by configuring it - one, two), or by installing a module, ...), then take your time to try to figure out a solution, implement it and then enable it again.
Thanks, i have resolved the issue by following https://developer.adobe.com/commerce/php/development/security/content-security-policies/#page-specific-content-security-policies
Thanks, i have resolved the issue by following https://developer.adobe.com/commerce/php/development/security/content-security-policies/#page-specific-content-security-policies
You resolved the issue by just disabling it. It's unfortunate that Adobe cannot provide sufficient documentation for their software which results in merchants everywhere just disabling CSP. I would bet that more than 90% of all Magento installs are in production with CSP in report only mode, and it's been that way since it was first introduced.
I'm dealing with this same thing. I'm facing inline script errors and every time I add the hash to the csp_whitelist.xml file, a new error with a new hash is thrown. I give up, we'll have to just disable it too.
I have resolved these issues by following this blog article https://www.scommerce-mage.com/blog/magento2-csp-whitelisting.html
Preconditions and environment
Steps Taken to Address the Issue - Updated Content Security Policy (CSP):
I have modified the csp_whitelist.xml to include all necessary script sources such as Stripe, reCAPTCHA, and other third-party services. Ensured all script sources mentioned in the console error were whitelisted.
Issue Details Content Security Policy Error:
The initial issue was a CSP error preventing the Stripe script from loading and my custom payment method not loading at checkout. Error message: Refused to load the script 'https://js.stripe.com/v3/' because it violates the following Content Security Policy directive...
I have added the necessary script sources to csp_whitelist.xml to resolve this error then my payment gateway is loaded on checkout but when we select the payment gateway the stripe form is not loading and it's showing some Recaptcha error with timeout in the console and still showing a CSP error in console as well.
My custom payment gateway of the stripe is working properly with all previous versions of Magento but when I updated to the new 2.4.7 version I am facing this issue.
We seek assistance in understanding if there are any additional steps or configurations required in Magento 2.4.7 to resolve this CSP, especially with custom payment gateways.
Steps to reproduce
Install Magento 2.4.7. Create and configure a custom payment gateway that integrates with Stripe. Ensure the custom payment method is enabled in the Magento Admin panel. Go to checkout with a product open console you will see you custom payment gateway is not showing and there is a CSP error in console
Expected result
after updating the new version of Magento 2.4.7 the custom payment gateway loads properly and there will be no content security policy issue and should have no custom recaptcha issues if it is working with previous version of magentoMagento
Actual result
after updating the new version of Magento 2.4.7 if you have a custom payment gateway then it will not load at checkout and will show a content security policy issue in console
Additional information
No response
Release note
No response
Triage and priority