Tech News and Updates

Magento 2 security patch causes issues with checkout page extensions

Magento 2 security patch causes issues with checkout page extensions

The recent Magento Open Source / Adobe Commerce security patch updates (versions 2.4.5-p8, 2.4.6-p6, and 2.4.7-p1) have introduced changes to Content Security Policies (CSP) that are causing issues for some extensions working with the checkout page. This update shifts the CSP mode from report_only to restrict, significantly impacting third-party and custom modules, particularly during the checkout process.


Content Security Policies Overview

Content Security Policies are designed to protect websites from a range of attacks, including Cross-Site Scripting (XSS), card skimmers, session hijacking, and clickjacking. By specifying approved sources for scripts, styles, and other resources through HTTP headers, CSPs help prevent malicious content from being loaded or executed. Magento's recent security updates have tightened these policies, requiring inline scripts and styles to be signed, thus enhancing security but also introducing compatibility challenges for existing extensions.


Impact on Extensions

The new CSP mode in restrict mode is more stringent, meaning that any inline scripts not appropriately signed will be blocked by the browser. This change affects both the default Magento checkout and the admin place order functionality. Developers now need to adapt their code to comply with these stricter policies.


Adapting to the Changes

To conform to the new security requirements, developers must utilize a special helper available in Magento. This helper allows inline scripts and styles to be rendered safely, ensuring they comply with the new CSP rules.


Configuration and Customization

Magento provides mechanisms to configure CSPs at different levels. Since version 2.4.7, CSP is set to restrict mode by default for payment pages in both the storefront and admin areas. Developers can customize CSP configurations for their modules by editing specific configuration files, setting modes to either report_only or restrict.


Additionally, developers can whitelist specific domains or inline scripts within their custom modules to ensure they are allowed under the new CSP rules.


Conclusion

The Magento security updates have strengthened website security by enforcing stricter CSPs, but they also necessitate changes in how developers write and configure their extensions. By utilizing the provided tools and following best practices, developers can ensure their extensions remain functional and secure in the updated environment.


For those interested in the detailed code examples and configuration steps, please refer to the Adobe’s Knowledge Base.



In our blog, we post technology-related articles bi-weekly. Follow us on Facebook and  Instagram to get notifications about updates.

Reading next

Introducing Our New Address Validation Extension for Magento 2!
Only weeks left: ensure a smooth transition to Google Analytics 4

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.