Magento 2 Csp Release Key Highlights

The Magento 2.4.7 update, released in April 2024, brings significant improvements for both Magento Open Source and Adobe Commerce (formerly Magento Commerce) users. It includes support for PHP 8.3, 150+ quality fixes and enhancements, expanded coverage for GraphQL, Core Composer dependencies, and more. Especially, to combat Cross-Site Scripting (XSS) attacks, Magento created the built-in Magento 2 Csp module. This module adds support for **Content Security Policy HTTP headersv.

In this article, we provide information about the Magento 2.4.7 Csp release and its key highlights for making use of the feature.

Security for Magento 2

Protect your store from cyber threats with Mageplaza's top-notch security services

(28 reviews)

Check it out!

Default Configuration

With the release of version 2.4.7, CSP (Content Security Policy) is configured in restrict mode by default for payment pages in both the storefront and admin areas. For all other pages, it’s set to report-only mode. The corresponding CSP header for payment pages doesn’t include the unsafe-inline keyword within the script-src directive. Only whitelisted inline scripts are allowed.

Prior to version 2.4.7, CSP was configured in report-only mode for all pages.

Once configured, the application can enforce policies like these:

• Any resource, including .js, .css, .jpg, or .ttf files, can just be loaded from the store’s domain.
• Iframes can only consist of pages from the store.
• AJAX requests must be sent to the store.
• Forms must be submitted to the store.
• Only whitelisted inline scripts and styles can be compiled by the browser.

For more details, check the Magento/Csp/etc/config.xml file. Some domains have already been whitelisted for modules that require it. For instance if the Magento_Paypal module is installed, www.paypal.com is already whitelisted for the script-src policy.

If inline scripts and styles have also been whitelisted, their hashes will be added to the Content-Security-Policy header only when inline scripts/styles are not allowed.

Please note that eval() is still allowed.

Use CSP Nonce Provider to Allow Inline Scripts

Adobe Commerce and Magento Open Source 2.4.7 and later include a Content Security Policy (CSP) nonce provider to facilitate the generation of unique nonce strings for each request. These nonce strings are then attached to the CSP header.

Use the generateNonce function in Magento\Csp\Helper\CspNonceProvider to obtain a nonce string.

use Magento\Csp\Helper\CspNonceProvider;

class MyClass
{

    /**
     * @var CspNonceProvider
     */
    private $cspNonceProvider;

    /**
     * @param CspNonceProvider $cspNonceProvider
     */
    public function __construct(CspNonceProvider $cspNonceProvider)
    {
        $this->cspNonceProvider = $cspNonceProvider
    }

    /**
     * Get CSP Nonce
     *
     * @return String
     */
    public function getNonce(): string
    {
        return $this->cspNonceProvider->generateNonce();
    }
}

Wrap Up

In summary, Magento 2.4.7 CSP delivers robust security, improved performance, and enhanced developer experiences. Whether you’re a merchant or a developer, this release will positively impact your online interactions. Stay updated and explore the full details of the release to make the most of these features.

Feel free to ask if you need further information or have any other questions!