Magento2 Security CSP – Magento 2.3.5-p1 CSP Font-src Self Unsafe-inline

cspmagento2Security

In regarding to CSP I create own csp_whitelist, but still I am getting:

The Content Security Policy 'font-src 'self' 'unsafe-inline';
form-action secure.authorize.net test.authorize.net
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline';
frame-src secure.authorize.net test.authorize.net
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
www.paypal.com www.sandbox.paypal.com https://js.stripe.com/
https://www.googletagmanager.com/ https://www.google.com/ 'self'
'unsafe-inline'; img-src widgets.magentocommerce.com
www.googleadservices.com www.google-analytics.com t.paypal.com
www.paypal.com www.paypalobjects.com fpdbs.paypal.com
fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com
https://stats.g.doubleclick.net/ data: 'self' 'unsafe-inline';
script-src assets.adobedtm.com js.authorize.net jstest.authorize.net
secure.authorize.net test.authorize.net geostag.cardinalcommerce.com
1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com
1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com
includestest.ccdc02.com www.googleadservices.com
www.google-analytics.com www.paypal.com www.sandbox.paypal.com
www.paypalobjects.com t.paypal.com js.braintreegateway.com s.ytimg.com
video.google.com vimeo.com www.vimeo.com cdn-scripts.signifyd.com
www.youtube.com https://js.stripe.com/v3/
https://www.googletagmanager.com/gtm.js
https://www.google.com/recaptcha/api.js https://www.gstatic.com/
'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self'
'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self'
'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src
geostag.cardinalcommerce.com geo.cardinalcommerce.com
1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com
centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com
'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src
'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'
'unsafe-inline';' was delivered in report-only mode, but does not
specify a 'report-uri'; the policy will have no effect. Please either
add a 'report-uri' directive, or deliver the policy via the
'Content-Security-Policy' header.

Can I fix it using csp_whitelist.xml?

Edit:
I tried to add some those domains as host to font-src, but it doesnt solve issue. I mean, domains didn`t disappear from warning

EDIT && Solutions:

For issue I wrote here (The Content Security Policy 'font-src 'self' 'unsafe-inline';). It is enough to set up report_uri in Your csp_whitelist.xml file.

For issue with data:xxx is enough to add

<policy id="font-src">
    <values>
        <value id="data" type="host">data:</value>
    </values>
</policy>

to Your csp_whitelist.xml file.
Of course You should add data: policy depends on scope where You have problem (policy id should be changed for example to img-src etc).
It is necessary to set is as host, cause right now Magento doesn`t read any other types.

Best Answer

At the end of the console report, it says:

"...was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header."

This is not saying that the the domain values for each of the listed policies are not whitelisted, they are by default (this error made me believe they weren't until I really looked at it closer). It's saying that there is no report-uri directive.

From the devdocs, it says:

Regardless of restrict or report-only mode, CSP violations may be reported to an endpoint for collection. The URL to use for reporting by browsers can be configured in your custom module’s config.xml file:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_uri>http://csp-reporting-service.com/my-project/endpoint</report_uri>
                </storefront>
                <admin>
                    <report_uri>http://csp-reporting-service.com/my-project/endpoint</report_uri>
                </admin>
            </mode>
        </csp>
    </default>
</config>

By default, CSP sends errors to the browser console, but can be configured to collect error logs by HTTP request. In addition, there are a number of third-party services that you can use to monitor, collect, and report CSP violations. So, either configure it to be reported to the error logs by https request, or create a custom module and configure the report_uri directive with the CSP reporting service of your liking. https://devdocs.magento.com/security/content-security-policy-overview.html

Related Solutions

Magento – Magento 2.3.5 Content Security Policy directive: “img-src

As of version 2.3.5, Magento supports Content Security Policy headers and provides ways to configure them.

Content Security Policies (CSP) are a powerful tool to mitigate against Cross Site Scripting (XSS) and related attacks, including card skimmers, session hijacking, clickjacking, and more.

By default, Content Security Policiy is configured in report-only mode, which allows merchants and developers to configure policies to work according to their custom code.

Your browser is not showing a Magento 2 error, it is reporting a CSP policy violation

You can configure your own custom CSP rules by adding a csp_whitelist.xml to a custom module etc folder.

You can find more information on how to do this here.

https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

To completely disable CSP you can also try

bin/magento module:disable Magento_Csp

Magento 2.3.5 CSP Configuration – Assist with csp_whitelist.xml Setup

So, it turns out it was a Chrome extension installed a few weeks ago (which I kind of have forgotten about).

The name is 'Content Security Policy (CSP) Generator', which never indicated where it 'generates' the entries, but this extension reports all items, even if it works and appends 'report-sample' which completely confused me as to origin of this.

Disabling the extension gave me a 100% clearer picture of which items didn't have CSP entries.

For reference, a working setup I created of config and whitelist below.

config.xml - Here is how to use report_only=0 (enforce), but more importantly, fix for frame-ancestors which does not allow unsafe-inline in browsers (as of November 2021).

frame-ancestors fix is only currently applied in 2.4-develop branch.

<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
     <default>
          <csp>
               <policies>
                    <storefront>
                         <frame-ancestors>
                              <inline>0</inline>
                         </frame-ancestors>
                    </storefront>
                    <admin>
                         <frame-ancestors>
                              <inline>0</inline>
                         </frame-ancestors>
                    </admin>
               </policies>
               <mode>
                    <storefront>
                         <report_only>0</report_only>
                         <report_uri>https://site.report-uri.com/r/d/csp/enforce</report_uri>
                    </storefront>
                    <admin>
                         <report_only>0</report_only>
                         <report_uri>https://site.report-uri.com/r/d/csp/enforce</report_uri>
                    </admin>
               </mode>

          </csp>
     </default>
</config>

csp_whitelist.xml

I decided to name (id) them like this :wildcard., because there are some rare instances where non-wildcard domains (like elfsight.com) rule do not work with them, so for instance 'img-src' I have two entries : 'elfsight.com' and 'wildcard.elfsight.com', two rules needed.

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
     <policies>
          <policy id="script-src">
               <values>
                    <value id="wildcard.sharethis.com" type="host">*.sharethis.com</value>
                    <value id="wildcard.elfsight.com" type="host">*.elfsight.com</value>
                    <value id="wildcard.cloudflare" type="host">*.cloudflare.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
                    <value id="wildcard.google-analytics" type="host">*.google-analytics.com</value>
                    <value id="wildcard.google" type="host">*.google.com</value>
                    <value id="wildcard.gstatic" type="host">*.gstatic.com</value>
                    <value id="wildcard.fontawesome" type="host">*.fontawesome.com</value>
               </values>
          </policy>
          <policy id="style-src">
               <values>
                    <value id="wildcard.elfsight.com" type="host">*.elfsight.com</value>
                    <value id="wildcard.cloudflare" type="host">*.cloudflare.com</value>
                    <value id="wildcard.googleapis" type="host">*.googleapis.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
                    <value id="wildcard.gstatic" type="host">*.gstatic.com</value>
                    <value id="wildcard.fontawesome" type="host">*.fontawesome.com</value>
               </values>
          </policy>
          <policy id="img-src">
               <values>
                    <value id="elfsight.com" type="host">elfsight.com</value>
                    <value id="wildcard.elfsight.com" type="host">*.elfsight.com</value>
                    <value id="wildcard.cloudflare" type="host">*.cloudflare.com</value>
                    <value id="wildcard.googleadservices" type="host">*.googleadservices.com</value>
                    <value id="wildcard.google-analytics" type="host">*.google-analytics.com</value>
                    <value id="wildcard.paypal" type="host">*.paypal.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
                    <value id="wildcard.data" type="host">'self' data:</value>
               </values>
          </policy>
          <policy id="connect-src">
               <values>
                    <value id="wildcard.sharethis.com" type="host">*.sharethis.com</value>
                    <value id="wildcard.elfsight.com" type="host">*.elfsight.com</value>
                    <value id="wildcard.cloudflare" type="host">*.cloudflare.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
                    <value id="wildcard.paypal" type="host">*.paypal.com</value>
               </values>
          </policy>
          <policy id="font-src">
               <values>
                    <value id="wildcard.cloudflare" type="host">*.cloudflare.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
                    <value id="wildcard.gstatic" type="host">*.gstatic.com</value>
                    <value id="wildcard.typekit" type="host">*.typekit.net</value>
                    <value id="wildcard.trustedshops" type="host">*.trustedshops.com</value>
                    <value id="wildcard.googleapis" type="host">*.googleapis.com</value>
               </values>
          </policy>

          <policy id="frame-src">
               <values>
                    <value id="wildcard.google" type="host">*.google.com</value>
                    <value id="wildcard.gstatic" type="host">*.gstatic.com</value>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
               </values>
          </policy>

          <policy id="form-action">
               <values>
                    <value id="wildcard.twitter.com" type="host">*.twitter.com</value>
               </values>
          </policy>
     </policies>
</csp_whitelist>

Best Answer

Related Solutions

Magento – Magento 2.3.5 Content Security Policy directive: “img-src

Magento 2.3.5 CSP Configuration – Assist with csp_whitelist.xml Setup

Related Topic