Open fritzmg opened 2 months ago
Hi @fritzmg. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release@magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.
Hi @fritzmg , I think that this could be related to this security improvement: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/magento-open-source/2-4-7#:~:text=Changes%20to%20Content%20Security%20Policy
Magento updated CSP to restrict mode at checkout. You can use this module to bypass it meanwhile you fix the code to enable CSP.
Well Magento has support for CSP for some while now, not just recently. The issue is just with the Magento_PaymentServicesPaypal
module that comes with Magento Community Edition. It currently has an erroneous hard dependency on Magento_Csp
. Judging by the code it is supposed to be a soft dependency, but it currently does not work (due to the wrong catch type).
I can confirm the issue with 2.4.6-p7 as well.
File affected: vendor/magento/module-paypal/Model/Config.php
Workaround:
}
}
- $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+ try {
+ $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
+ } catch (\Throwable $e) {
+ $this->cspNonceProvider = null;
+ }
}
/**
The checkout is also affected. A new Observer has been introduced: Magento\Checkout\Observer\CspPolicyObserver
File affected: vendor/magento/module-checkout/etc/frontend/events.xml
Workaround:
<event name="customer_logout">
<observer name="unsetAll" instance="Magento\Checkout\Observer\UnsetAllObserver" />
</event>
- <event name="controller_action_predispatch_checkout_index_index">
- <observer name="cps_storefront_checkout_index_index_predispatch"
- instance="Magento\Checkout\Observer\CspPolicyObserver"/>
- </event>
+<!-- <event name="controller_action_predispatch_checkout_index_index">-->
+<!-- <observer name="cps_storefront_checkout_index_index_predispatch"-->
+<!-- instance="Magento\Checkout\Observer\CspPolicyObserver"/>-->
+<!-- </event>-->
</config>
Marcus, As I mentioned in my previous note, after M2.4.7 Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.
Default config: https://developer.adobe.com/commerce/php/development/security/content-security-policies/#default-configuration
I understand that someone from the Adobe team should clarify this. @nathanjosiah can you add your 2 cents?
Previous discussion on Magento_Csp behavior change at checkout: https://github.com/magento/magento2/issues/38823
Background info: https://m.academy/articles/magento-apsb24-40-security-patch-csp-checkout-updates/#:~:text=Impact%20on%20Checkout%20Functionality
@Franciscof-Serfe please note, we are not on 2.4.7. We are on 2.4.6-p7; In a security release there should never be such a breaking change.
Adobe decided to force CSP in restricted mode for the checkout and payment line. It's not an error.
Nevertheless, modules that have a hard dependency on Magento_Csp
need to define it as such. Currently Magento_PaymentServicesPaypal
has no dependency and thus Magento_Csp
can be disabled, which leads to the aforementioned error.
The new CSP changes are new PCI requirements for all payment pages per PCI version 4 section 6.4.3. Since all of our supported versions must be PCI compliant this change had to be made.
Having said that, it does appear there is an error with the type that violates our policies. But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.
@magento export issue to Jira project AC as Bug
:x: You don't have permission to export this issue.
@magento export issue to Jira project AC as Bug
:x: Something went wrong. Cannot create Jira issue.
Is the Issue: Confirmed tab necessary first?
But, I would strongly advise you to get your site working with CSP as this is the last line of defense against malware and card skimmers. Plus, it would put you at risk of PCI audit failure especially since the auditors will be on high alert since it's a new requirement.
@nathanjosiah While I agree that CPS should be enabled in any case, CSP must not be a requirement, at least not for this reason. Your shop does not have to have an actual payment module. In our case the Magento instance is a B2C shop with a checkout that contains no payment options. In our case the fix is easy, as we can just disable the payment module itself (it was an error that we didn't).
The error is that Magento_PaymentServicesPaypal
is missing the Magento_Csp
dependency in its composer.json
and etc/module.xml
.
:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-13063 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
The same error happens within Magento\AdminAnalytics\ViewModel\Metadata
:
It also has a hard dependency on Magento_Csp
, but it is missing from the module.xml
:
Preconditions and environment
Magento_Csp
disabledSteps to reproduce
2.4.7-p2
.bin/magento module:disable Magento_Csp
.Expected result
The checkout should be rendered.
Actual result
The following error is thrown:
Additional information
The cause are these lines within
vendor/magento/module-payment-services-paypal/Model/ConfigProvider.php
The error is not of type
\ReflectionException
, instead it is of type\Error
- thus the error is not caught.To fix it, it could be changed as follows:
Release note
No response
Triage and priority