Skip to content

Strict content security policy (CSP) enforcement compatibility #98

Open
Open
Strict content security policy (CSP) enforcement compatibility#98
@lytesaber

Description

@lytesaber
lytesaber
opened on Jul 23, 2024

Affected Versions

  • zip/magento2 - 1.2.5 or previous release
  • Magento 2.4.7 and up
  • Magento 2.4.6-p6
  • Magento 2.4.5-p8
  • Magento 2.4.4-p9

Issue
As of the most recent security patch releases and the Magento 2.4.7 release Adobe has enforced strict content security policy (CSP) instead of the report-only configuration from previous releases. In my case upgrading from 2.4.5-p7 to 2.4.5-p8 enforced this change, in testing I've found CSP-related errors thrown in console when proceeding to the checkout.

This is outlined by Adobe in the patch release notes that strict CSP is now enforced:
https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-5-patches#additional-security-enhancements

Workaround
There is a workaround outlined by Sansec by turning CSP back to report-only mode however this will be non-compliant with the changes coming into effect with PCI DSS as of April next year.
https://sansec.io/guides/magento-csp#disable-strict-csp-on-checkout

Solution
Zip must be patched to be compatible with Magento when strict content security policy (CSP) is enabled.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions