Magento2.3.5 – Content Security Policy (CSP) Data:Image

magento2.3magento2.3.5

Has anyone found a way to integrate the data:image/png as csp_whitelist?

[Report Only] Refused to load the image 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGP6zwAAAgcBApocMXEAAAAASUVORK5CYII=' because it violates the following Content Security Policy directive: "img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com *.cloudflare.com https://cdn.klarna.com *.paypal.com https://s.ytimg.com *.usercentrics.eu 'self' 'unsafe-inline'".

Best Answer

In your custom csp_whitelist.xml (eg. in a custom modules etc-directory) add this:

<policy id="img-src">
  <values>
    <value id="data" type="host">data:</value>
  </values>
</policy>

The colon as suffix is the important stuff here.

etc/csp_whitelist.xml

Need to implement our own whitelist using above file

see https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html

pros:

format evaluation using schema

cons:

there is no way to declare schema type entry
however you can whitelist schemes declaring host with schema name, just need to add : after the schema name eg: <value id="data-schema" type="host">data:</value>

this is the recommended way by Magento

etc/config.xml

whitelist can be declared as config node with specific tags using above file

see vendor/magento/module-csp/etc/config.xml

pros:

can be inserted to the core_config_data table via environment configuration or data patch

cons:

if it is stored in DB data patch required to change/modify

Implement custom policy collector

see vendor/magento/module-csp/etc/di.xml and vendor/magento/module-csp/Model/Collector/CspWhitelistXmlCollector.php

inject your custom collector into collectors argument of Magento\Csp\Model\CompositePolicyCollector.
Custom collector have to implements Magento\Csp\Api\PolicyCollectorInterface
insert policies using Magento\Csp\Model\Policy\FetchPolicy

pros:

you can use nonce type whitelists
highly customizable
possible to create standard, composer ready solution with chance to adjust whitelist thru configuration (eg using https://devdocs.magento.com/guides/v2.4/ext-best-practices/tutorials/dynamic-row-system-config.html to store whitlelist element)

cons:

developer knowledge required

Magento – Magento 2.3.5 Content Security Policy directive: “img-src

As of version 2.3.5, Magento supports Content Security Policy headers and provides ways to configure them.

Content Security Policies (CSP) are a powerful tool to mitigate against Cross Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more.

By default, Content Security Policiy is configured in report-only mode, which allows merchants and developers to configure policies to work according to their custom code.

Your browser is not showing a Magento 2 error, it is reporting a CSP policy violation

You can configure your own custom CSP rules by adding a csp_whitelist.xml to a custom module etc folder.

You can find more information on how to do this here.

https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

To completely disable CSP you can also try

bin/magento module:disable Magento_Csp

Best Answer

Related Solutions

Magento 2.3.5 Upgrade – Fix Content Security Policy False Positive CDN Fonts

etc/csp_whitelist.xml

pros:

cons:

this is the recommended way by Magento

etc/config.xml

pros:

cons:

Implement custom policy collector

pros:

cons:

Magento – Magento 2.3.5 Content Security Policy directive: “img-src

Related Topic