PHPackages yireo/magento2-csp-whitelist-inline-js - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. yireo/magento2-csp-whitelist-inline-js ActiveMagento2-module[Security](/categories/security) yireo/magento2-csp-whitelist-inline-js ====================================== Magento module to automatically add inline JS script to CSP whitelist 0.1.1(1y ago)2974.7k—0.6%[1 issues](https://github.com/yireo/Yireo_CspWhitelistInlineJs/issues)OSL-3.0PHP Since Jun 28Pushed 1y ago5 watchersCompare [ Source](https://github.com/yireo/Yireo_CspWhitelistInlineJs)[ Packagist](https://packagist.org/packages/yireo/magento2-csp-whitelist-inline-js)[ RSS](/packages/yireo-magento2-csp-whitelist-inline-js/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (5)Dependencies (2)Versions (6)Used By (0) Yireo CspWhitelistInlineJs ========================== [](#yireo-cspwhitelistinlinejs) **When, in Magento 2, the CSP policy to disallow inline scripts is enabled, any script requires either a hash or a nonce (or something similar). This module scans any PHTML template for scripts on the fly and adds a nonce where needed, depending on your configuration.** Installation ------------ [](#installation) ``` composer require yireo/magento2-csp-whitelist-inline-js bin/magento module:enable Yireo_CspWhitelistInlineJs ``` Configuration ------------- [](#configuration) - **Mode** - `Custom whitelisting` (recommended) - `Whitelist everything` (dangerous) - **Logging**: See below Mode: Custom whitelisting ------------------------- [](#mode-custom-whitelisting) A block can be whitelisted automatically by this module, using one of the following techniques: ### 1. Custom whitelisting by XML layout [](#1-custom-whitelisting-by-xml-layout) You can whitelist a specific `block` via the XML layout, by adding an argument `csp_whitelist`: ``` true ``` **Note that there is still a security issue here, because the layout could be updated via the database as well (which could be hijacked via SQL injection).** ### 2. Via DI plugin [](#2-via-di-plugin) You could also create a DI plugin `afterAllow` on `\Yireo\CspWhitelistInlineJs\Util\AllowBlock::allow(Template $block)`. Mode: Whitelist everything -------------------------- [](#mode-whitelist-everything) With this mode, any inline script is simply allowed. It defeats the purpose of CSP, in general, but gets the job done. Do make sure to log things, so that you can use a different mode after a while. If you keep using this mode in production, you don't get it. Mode: Whitelist everything -------------------------- [](#mode-whitelist-everything-1) ### Important note on whitelisting everything & security [](#important-note-on-whitelisting-everything--security) Note that automatically fixing inline scripts with this module does **not** take away the security risk that was meant to be fixed with CSP. The best solution is to apply this module to make sure CSP is not causing harm in production. And next, go through all of the inline scripts that don't have CSP-support yet and add CSP-support to it. **And then remove this module again.** ### What about CMS content? [](#what-about-cms-content) Whenever content is added to the HTML output of Magento, security checks would need to be in place. For instance, the content of CMS pages or CMS blocks might be compromised by hackers and with that, XSS attacks might be initiated by adding inline scripts to that content. By default, this module does **not** do anything specific for that CMS content. However, in a default situation, CMS pages and CMS blocks are not being outputted via templates and therefore an inline script in CMS content is not nonced by this module (which is a good thing). While the default is safe, any modification (custom theming, 3rd party modules, etc) could lead into compromised CMS content being outputted with nonced scripts anyway. Logging ------- [](#logging) This module also allows logging of these inline scripts. Just enable logging via **Yireo > Yireo CspWhitelistInlineJs > Settings > Logging** (`csp_whitelist_inline_js/settings/logging`). Next, monitor the logfile `var/log/yireo-csp-whitelist-inline-js.log`. The log contains a listing of all block templates that have been picked up upon by this module. The recommendation is to go through this file and make sure that each template is whitelisted by the extension or theme that is offering that template, so that - one day in the future - you are able to remove this `Yireo_CspWhitelistInlineJs` module. Note that this file is regenerated at the end of every request by combining all existing lines with new lines. Compatibility ------------- [](#compatibility) - Luma theme - Hyvä Themes - Hyvä Checkout ### Health Score 32 — LowBetter than 72% of packages Maintenance35 Infrequent updates — may be unmaintained Popularity39 Limited adoption so far Community9 Small or concentrated contributor base Maturity34 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~24 days Total 5 Last Release 593d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/1373981?v=4)[Yireo](/maintainers/yireo)[@yireo](https://github.com/yireo) --- Top Contributors [![jissereitsma](https://avatars.githubusercontent.com/u/7670482?v=4)](https://github.com/jissereitsma "jissereitsma (18 commits)") ### Embed Badge ![Health badge](/badges/yireo-magento2-csp-whitelist-inline-js/health.svg) ``` [![Health](https://phpackages.com/badges/yireo-magento2-csp-whitelist-inline-js/health.svg)](https://phpackages.com/packages/yireo-magento2-csp-whitelist-inline-js) ``` ### Alternatives [veriteworks/cookiefix Magento2 extension for Cookie SameSite attribute. 65455.3k1](/packages/veriteworks-cookiefix)[imi/magento2-friendly-captcha Friendly Captcha integration for Magento2 18116.2k](/packages/imi-magento2-friendly-captcha)[basecom/magento2-csp-split-header Magento 2 module to split oversized CSP headers into multiple headers. 5256.6k](/packages/basecom-magento2-csp-split-header)[pixelopen/magento-cloudflare-turnstile Protect your store from spam messages and spam user accounts with Cloudflare Turnstile 5325.4k1](/packages/pixelopen-magento-cloudflare-turnstile)[sansec/magento2-module-shield 14111.8k](/packages/sansec-magento2-module-shield) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)