Cannot instantiate interface `Magento\Csp\Model\Collector\MergerInterface` when `Magento_Csp` is disabled

[fritzmg]

Preconditions and environment

• Magento version: 2.4.7-p2
• Magento_Csp disabled

Steps to reproduce

1. Update or install Magento 2.4.7-p2.
2. Execute bin/magento module:disable Magento_Csp.
3. Go to the checkout.

Expected result

The checkout should be rendered.

Actual result

The following error is thrown:

Error: Cannot instantiate interface Magento\Csp\Model\Collector\MergerInterface in vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php:50
Stack trace:
#0 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#1 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(170): Magento\Framework\ObjectManager\ObjectManager->get()
#2 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(276): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgument()
#3 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(239): Magento\Framework\ObjectManager\Factory\AbstractFactory->getResolvedArgument()
#4 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(34): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgumentsInRuntime()
#5 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(59): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->_resolveArguments()
#6 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#7 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(170): Magento\Framework\ObjectManager\ObjectManager->get()
#8 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(276): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgument()
#9 vendor/magento/framework/ObjectManager/Factory/AbstractFactory.php(239): Magento\Framework\ObjectManager\Factory\AbstractFactory->getResolvedArgument()
#10 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(34): Magento\Framework\ObjectManager\Factory\AbstractFactory->resolveArgumentsInRuntime()
#11 vendor/magento/framework/ObjectManager/Factory/Dynamic/Developer.php(59): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->_resolveArguments()
#12 vendor/magento/framework/ObjectManager/ObjectManager.php(73): Magento\Framework\ObjectManager\Factory\Dynamic\Developer->create()
#13 vendor/magento/module-payment-services-paypal/Model/ConfigProvider.php(65): Magento\Framework\ObjectManager\ObjectManager->get()
…

Additional information

The cause are these lines within vendor/magento/module-payment-services-paypal/Model/ConfigProvider.php

    //TODO:Just to be compatible with 2.4.6. Remove in future
    $objectManager = \Magento\Framework\App\ObjectManager::getInstance();
    try {
        $this->cspNonceProvider = $objectManager->get("\Magento\Csp\Helper\CspNonceProvider");
    } catch (\ReflectionException $e) {
        $this->cspNonceProvider = null;
    }

The error is not of type \ReflectionException, instead it is of type \Error - thus the error is not caught.

To fix it, it could be changed as follows:

    //TODO:Just to be compatible with 2.4.6. Remove in future
    $objectManager = \Magento\Framework\App\ObjectManager::getInstance();
    try {
        $this->cspNonceProvider = $objectManager->get("\Magento\Csp\Helper\CspNonceProvider");
-   } catch (\ReflectionException $e) {
+   } catch (\Throwable) {
        $this->cspNonceProvider = null;
    }

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [X] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @fritzmg. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this

• To learn more about issue processing workflow, refer to the Code Contributions.

  Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[Franciscof-Serfe]

Hi @fritzmg , I think that this could be related to this security improvement: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/magento-open-source/2-4-7#:~:text=Changes%20to%20Content%20Security%20Policy

Magento updated CSP to restrict mode at checkout. You can use this module to bypass it meanwhile you fix the code to enable CSP.

https://github.com/yireo/Yireo_DisableCsp

[fritzmg]

Well Magento has support for CSP for some while now, not just recently. The issue is just with the Magento_PaymentServicesPaypal module that comes with Magento Community Edition. It currently has an erroneous hard dependency on Magento_Csp. Judging by the code it is supposed to be a soft dependency, but it currently does not work (due to the wrong catch type).

[MarcusSchwarz]

I can confirm the issue with 2.4.6-p7 as well.

File affected: vendor/magento/module-paypal/Model/Config.php Workaround:

             }
         }

-        $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+        try {
+            $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+        } catch (\Throwable $e) {
+            $this->cspNonceProvider = null;
+        }
     }

     /**

The checkout is also affected. A new Observer has been introduced: Magento\Checkout\Observer\CspPolicyObserver

File affected: vendor/magento/module-checkout/etc/frontend/events.xml Workaround:

     <event name="customer_logout">
         <observer name="unsetAll" instance="Magento\Checkout\Observer\UnsetAllObserver" />
     </event>
-    <event name="controller_action_predispatch_checkout_index_index">
-        <observer name="cps_storefront_checkout_index_index_predispatch"
-                  instance="Magento\Checkout\Observer\CspPolicyObserver"/>
-    </event>
+<!--    <event name="controller_action_predispatch_checkout_index_index">-->
+<!--        <observer name="cps_storefront_checkout_index_index_predispatch"-->
+<!--                  instance="Magento\Checkout\Observer\CspPolicyObserver"/>-->
+<!--    </event>-->
 </config>

[Franciscof-Serfe]

Marcus, As I mentioned in my previous note, after M2.4.7 Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.

Default config: https://developer.adobe.com/commerce/php/development/security/content-security-policies/#default-configuration

Commit REF: https://github.com/magento/magento2/commit/25cf7f077cf06eafa145027ff70c55d297f4943c#diff-32ed90c0e573d5dd4047b67db44768fca797fa1df717c8d883956d3a6b8d2fd6

I understand that someone from the Adobe team should clarify this. @nathanjosiah can you add your 2 cents?

Previous discussion on Magento_Csp behavior change at checkout: https://github.com/magento/magento2/issues/38823

Background info: https://m.academy/articles/magento-apsb24-40-security-patch-csp-checkout-updates/#:~:text=Impact%20on%20Checkout%20Functionality

[MarcusSchwarz]

@Franciscof-Serfe please note, we are not on 2.4.7. We are on 2.4.6-p7; In a security release there should never be such a breaking change.

[fritzmg]

Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.

Nevertheless, modules that have a hard dependency on Magento_Csp need to define it as such. Currently Magento_PaymentServicesPaypal has no dependency and thus Magento_Csp can be disabled, which leads to the aforementioned error.

[nathanjosiah]

The new CSP changes are new PCI requirements for all payment pages per PCI version 4 section 6.4.3. Since all of our supported versions must be PCI compliant this change had to be made.

Having said that, it does appear there is an error with the type that violates our policies. But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.

[nathanjosiah]

@magento export issue to Jira project AC as Bug

[github-jira-sync-bot]

:x: You don't have permission to export this issue.

[sidolov]

@magento export issue to Jira project AC as Bug

[github-jira-sync-bot]

:x: Something went wrong. Cannot create Jira issue.

[Franciscof-Serfe]

Is the Issue: Confirmed tab necessary first?

[fritzmg]

But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.

@nathanjosiah While I agree that CPS should be enabled in any case, CSP must not be a requirement, at least not for this reason. Your shop does not have to have an actual payment module. In our case the Magento instance is a B2C shop with a checkout that contains no payment options. In our case the fix is easy, as we can just disable the payment module itself (it was an error that we didn't).

The error is that Magento_PaymentServicesPaypal is missing the Magento_Csp dependency in its composer.json and etc/module.xml.

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-13063 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[nathanjosiah]

We are working on this internally.

As a reference for any Adobe members, this was transferred from AC-13063 to PAY-5690

[fritzmg]

The same error happens within Magento\AdminAnalytics\ViewModel\Metadata:

https://github.com/magento/magento2/blob/5a2037c35de89ce2c50e230164ff3ea7b67ac127/app/code/Magento/AdminAnalytics/ViewModel/Metadata.php#L75-L77

It also has a hard dependency on Magento_Csp, but it is missing from the module.xml:

https://github.com/magento/magento2/blob/5a2037c35de89ce2c50e230164ff3ea7b67ac127/app/code/Magento/AdminAnalytics/etc/module.xml#L8-L10