search

magento / security-package

Magento Security Extensions
Open Software License 3.0
72 stars 69 forks source link

Recaptcha Newsletter still uses inline scripts --> CSP warnings #337

Open PachisPachis opened 1 month ago

PachisPachis commented 1 month ago

Preconditions (*)

1.Magento 2.4.7-p1 2.Default CSP config and whitelisting, no customizations. Please notice that default CSP policies blocks inline scripts in the checkout page. 3.Block for newsletter signup is shown in every page, including checkout. Block has a recaptcha validation.

Steps to reproduce (*)

1.Go to checkout. 2.Check browser console. 3.Notice the CSP warnings, attached screenshots in the following points.

Expected result (*)

  1. Module should use the rendertag function to deal with CSP default requirements, instead of inserting inline scripts. This would allow the script to be executed.
  2. No warnings should be shown by CSP policies in the browser console.

Actual result (*)

  1. Module is inserting inline scripts, detected by the CSP policies and generating unwanted warnings. image image

2.This is ocurring because of the following code: image

m2-assistant[bot] commented 1 month ago

Hi @PachisPachis. Thank you for your report. To speed up processing of this issue, make sure that you provided sufficient information. Add a comment to assign the issue: @magento I am working on this

Join Magento Community Engineering Slack and ask your questions in #github channel.