CSP issues for Magento 2.4.7+
Closed this issue · 4 comments
Seems that from Magento 2.4.7 onwards CSP isn't working in Report Mode on payment pages (admin and checkout pages).
Quote from Release Notes:
The default CSP configuration for payment pages for Commerce Admin and storefront areas is now restrict mode. For all other pages, the default configuration is report-only mode. In releases prior to 2.4.7, CSP was configured in report-only mode for all pages.
In order to fix that problem all inline js from this module should be rendered through secure renderer so proper nonces will be added...
Had a similar issue related to third party extensions. You should contact third party extension provider(s) and they should fix these inline script issues. We bought this CSP whitelist extension which helped us resolved inline script issues straight away but you need to make that you get a fix from third party extension providers as well. Hope this information helps, best of luck!
Even though the PR was good already, I've decided to go a totally different route: fc8fc70
The PR was wrapping inline scripts everywhere (except for the Hyva scripts, WIP) with the $secureRenderer. But with a multiline script this quickly becomes cumbersome. Adding a HEREDOC syntax seems to have its own issues. So instead, I went for an approach where the original block-with-script is actually wrapped in a parent block (class \Yireo\GoogleTagManager2\Block\InlineScriptParent) that simply renders its child, but stripping the <script> tag and piping everything through the secure renderer (or its dummy). To my opinion, this makes the code a lot more readable, thus maintainable - especially with all of the inline JS for Hyva.
This seems to be working fine!
Cc: @stevensagaar @jemoon @hostep @nige-one What do you think?
Nice, cool idea!
And it makes the frontend files indeed a lot cleaner and easier to maintain, which is always a good thing.
This took one more major twist: Instead of adding a parent block, I decided to do things via a DI plugin on all templates "owned" by GTM. This is working nicely and doesn't require changes to any XML layout structure.
I'm going to release this now.