I have a store running fine with the latest version of Magento (currently 2.1.1) and I'm trying to improve security through Content Security Policy on Apache 2.4.7 (Ubuntu 14.04). I had removed all "< script >" tag from the content pages and created separated files.js.
On Apache's security I have set:
Header set Content-Security-Policy "default-src 'self'"
However, it's not working. It seems Magento itself added some "< script >" tags. Example from the very first source lines:
< !doctype html >
< html lang="pt-BR" >
< head >
< script >
var require = {
"baseUrl": "http://example.com/pub/static/frontend/Magento/luma/pt_BR"
};
< /script >
So it seems to me that in order to have CSP configured I'd have to enable "unsafe-inline" which is not real safe after all.
Header set Content-Security-Policy "default-src 'self' script-src 'self' 'unsafe-inline' 'unsafe-eval'".
Does anyone know how to have Magento properly set with CSP?
Thank you!
Best Answer
The simple answer is: sorry, its not simple possible to make this "secure".
The positive side is, you have nearly no user contributed content and therefore this is a rather small downside. At least for the simple and normal case.
I see this is a setting which should absolutely work and be enforced for the admin area, and also in general.
To answer your question, it may be the easiest way to do a feature request in the magento forum and ping some people of the magento community to it. Because, it also needs some advising in the devdocs for module creators, else people would regularly have problems with modules not compatible to this level of security.
Sorry if this is not the answer you would expect. The main problem is probably the javascript and how it is organized, some parts may expect its always and early there. Also, I dont know what changed yet in magento2, but in magento 1 there were also some other places which relayed on inline JS, they may not be completely refactored yet.