I’m posting this issue with the hope we can come with some kind of centralized community agreements on how to handle CSP in checkout with the latest patch magento release and concrete example and procedure. I won’t define here why is CSP handling important, I think the security patch speaks for itself.
Now; I guess most of you are struggling to update your checkout process. The issue being that checkout is most of the time the one thing with full customization, meanings, full of tier module dependencies, scripts dependencies etc etc.
Lots of them won’t probably be CSP compliant, have inline script policy not respected…so what it left to us developer is to wait that these modules updates themselves to be CSP compliant ? Well…Since July I don’t see anything going in that way.
An other case of concern is about dynamic scripts, like for example GTM or GA who are known to insert scripts into your pages. And that’s making things even worst to handle.
So far, I’ve been looking to lots and lots of solutions accross the web, from known and unknown vendor, blackbird, yireo, etc etc.
But basically, you could class these solution in two categories. The ones that accept the inline script meaning, the checkout would work again but then the security patch will remains inefficient. That’s like saying …I don’t care about M2 patch…i’m reverting it…but hey look…it’s still applied so all good !
Well no…that’s not good solution.
Second solution I came accross was a little bit more interesting. It seems to come closer from what adobe is saying as recommendation, about using a CSPNonceGenerator and calling that csp nonce generation in templates. And honestly, I think it could do the trick for small projects with small custom where you can easily find scripts and file that need whitelisting. But in most case, that’s not the case…and that’s where this module comes with the same process of generating nonce…but then apply it to every templates…which is basically as bad as the first solution as it’s the same thing as whitelisting everything ?
Other people are speaking about generating a sha256 hash to whitelist…which is to me an aberration as each time a developer is gonna update a script the hash will change. And moreover, you might have script dynamic like GA or GTM where the content might change depending on the product, the customer etc etc. So in these situation the hash is not even a thing.
So…here I am with this question … how to handle properly and fully CSP nowadays ? Did you find any solution in the past 2-3 month ? If so can you explain it ?
NB : I suspect we all know about the csp_whitelist.xml file and I suspect we all understand that most of checkout scripts can’t be whitelisted simply by the old way…looking at console error and adding the domain of the error in the whitelist.
I feel like Magento itself is kinda blocking it’s own scripts too although i’m not sure.
NB2 : Sorry if the talk is not very consistent, I feel like these are advanced method and comprehension and I’m not getting everything about it.
NB3 : Mark Shust chrome extension for CSP seems very interesting to dig in but in my case some of our websites, the ones with dynamic scripting like GTM won’t be fixed just with the whitelisting offered by the extension.