PHPackages hyva-themes/magento2-optimized-csp-allowlist - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. hyva-themes/magento2-optimized-csp-allowlist ActiveMagento2-module hyva-themes/magento2-optimized-csp-allowlist ============================================ Be more precise on which CSP domains are allowed to be loaded 1.1.1(4mo ago)161.7k↓44.4%3[1 PRs](https://github.com/hyva-themes/magento2-optimized-csp-allowlist/pulls)BSD-3-ClausePHPPHP >=8.1 Since Jul 1Pushed 2mo ago3 watchersCompare [ Source](https://github.com/hyva-themes/magento2-optimized-csp-allowlist)[ Packagist](https://packagist.org/packages/hyva-themes/magento2-optimized-csp-allowlist)[ RSS](/packages/hyva-themes-magento2-optimized-csp-allowlist/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (4)Dependencies (3)Versions (5)Used By (0) Content Security Policy Optimized Allowlist =========================================== [](#content-security-policy-optimized-allowlist) This extension optimizes the Content Security Policy (CSP) for Magento by allowing selective loading of `csp_whitelist.xml` files, reducing security risks associated with unnecessary domain allowances and potential XSS vulnerabilities. Description ----------- [](#description) The CSP header `Content-Security-Policy` contains a list of allowed domains which are to both your frontend and backend of your Magento installation. No validation is done if these domains are actually needed to run a page. This brings certain security risks as it can be used to trigger some clever XSS attacks (more below) on your store. Even if CSP is fully enforced, `eval` and unsigned `inline` scripts are disabled, it still will be possible to inject non validated code to run on your store. Your Magento installation will include many third party extensions and Magento also ships some `csp_whitelist.xml` files per default, all files include many domains. These domains will automatically be merged into the CSP header. Besides for the additional risks this greatly increases the size of the CSP header. [![Configuration image](docs/configuration.png)](docs/configuration.png) Installation ------------ [](#installation) Installation in your Magento project is done via composer. ``` composer require hyva-themes/magento2-optimized-csp-allowlist bin/magento setup:upgrade ``` Post installation ----------------- [](#post-installation) This extension can run in two modes: 1. **Fully disable all modules `csp_whitelist.xml`** - The safest option, where you can still include a `csp_whitelist.xml` file directly in your theme 2. **Check if a template file from a specific extension is used** - Only if a `.phtml` file from an installed extension is used, it will include in the CSP header The first option is the safest, you can still include a `csp_whitelist.xml` file directly in your theme. After installation the second option is enabled per default. Checking if an `.phtml` is used and only loading those allowlist XML files is enabled by default. [![Configuration image](docs/configuration.png)](docs/configuration.png) Configuration ------------- [](#configuration) You can configure how the extension should work per store: - Navigate to **Stores** -> **Configuration** - Then **Security** -> **Content Security Policy (CSP)** - **Fully disable module allowlists** to fully disable modules `csp_whitelist.xml`'s (default: **No**) - **Enable allowlist optimization** to enable or disable the setting per store (default: **Yes**) Research: XSS Risks when allowing domains ----------------------------------------- [](#research-xss-risks-when-allowing-domains) On a vanilla Magento (tested 2.4.8-p1) installation without this feature, 25 of the 46 items on the allowed domains list can be used to inject XSS. An example as `*.google.com` is whitelisted in the `magento/module-payment-services-paypal/etc/csp_whitelist.xml` which allows at least the following possible injection. ``` ``` This input is reflected on the endpoint and therefore it will trigger `alert(1337)`, this can become anything. More information about this, take a look at [renniepak/CSPBypass](https://github.com/renniepak/CSPBypass) and test your own domains. Technique --------- [](#technique) The extension checks whether a `.phtml` file is loaded within an extension. If this is true, the extension will be allowed to load its whitelist. Adding domains and hashes without use of XML -------------------------------------------- [](#adding-domains-and-hashes-without-use-of-xml) You can use ViewModel `\Hyva\OptimizedCspAllowlist\ViewModel\Hosts::add(string $policyId, ['host.ext', ...])` to add domains without the use of `csp_whitelist.xml`. This gives more flexibility as you can be very specific on which domains or hashes you want to allow in the frontend. This also brings the possibility to have dynamic domains on multilingual stores or using a specific CDN on a specific store. For instance, the Google Analytics `.phtml` file can include registration for the domain in the same file instead of XML, making sure that only that script can be loaded on that page. ### Dynamic domains [](#dynamic-domains) This will also bring the possibility to add custom domains when using multilingual domains, no more `*.host.ext` but allow `lang.host.ext` instead. ### Viewmodels for any theme [](#viewmodels-for-any-theme) Viewmodels can be injected in `layout.xml` for any theme. ``` \Hyva\OptimizedCspAllowlist\ViewModel\Hosts ``` In your `.phtml` file you: ```