The recent Magento Open Source / Adobe Commerce security patch updates (versions 2.4.5-p8, 2.4.6-p6, and 2.4.7-p1) have introduced changes to Content Security Policies (CSP) that are causing issues for some extensions working with the checkout page. This update shifts the CSP mode from report_only to restrict, significantly impacting third-party and custom modules, particularly during the checkout process.
Content Security Policies Overview
Content Security Policies are designed to protect websites from a range of attacks, including Cross-Site Scripting (XSS), card skimmers, session hijacking, and clickjacking. By specifying approved sources for scripts, styles, and other resources through HTTP headers, CSPs help prevent malicious content from being loaded or executed. Magento's recent security updates have tightened these policies, requiring inline scripts and styles to be signed, thus enhancing security but also introducing compatibility challenges for existing extensions.
Impact on Extensions
The new CSP mode in restrict mode is more stringent, meaning that any inline scripts not appropriately signed will be blocked by the browser. This change affects both the default Magento checkout and the admin place order functionality. Developers now need to adapt their code to comply with these stricter policies.
Adapting to the Changes
To conform to the new security requirements, developers must utilize a special helper available in Magento. This helper allows inline scripts and styles to be rendered safely, ensuring they comply with the new CSP rules.
Configuration and Customization
Magento provides mechanisms to configure CSPs at different levels. Since version 2.4.7, CSP is set to restrict mode by default for payment pages in both the storefront and admin areas. Developers can customize CSP configurations for their modules by editing specific configuration files, setting modes to either report_only or restrict.
Additionally, developers can whitelist specific domains or inline scripts within their custom modules to ensure they are allowed under the new CSP rules.
Conclusion
The Magento security updates have strengthened website security by enforcing stricter CSPs, but they also necessitate changes in how developers write and configure their extensions. By utilizing the provided tools and following best practices, developers can ensure their extensions remain functional and secure in the updated environment.
For those interested in the detailed code examples and configuration steps, please refer to the Adobe’s Knowledge Base.
In our blog, we post technology-related articles bi-weekly. Follow us on Facebook and Instagram to get notifications about updates.