Content Security Policy Magento 2

PawelP · December 10, 2021, 10:59am

Hi,

Can somebody help me please with Content Security Policy warning messages in google console?
I read the article and installed the module, however, the console still shows the issue with Recaptcha.

I also added this line to whitelist file but it didn’t help.
<value id="google-recaptcha" type="host">https://www.google.com/recaptcha/</value>

I found it here.

Can somebody give me a tip on how to fix it?
Thank you.

Andy · December 13, 2021, 8:37pm

Hi Pawel,
What Magento 2 version are you running on?
From what i’m aware after the 2.4.2 version the Core Content Security Policy (CSP) violations have been fixed :
https://devdocs.magento.com/guides/v2.4/release-notes/open-source-2-4-2.html

PawelP · December 14, 2021, 8:40am

Hi Andy,

I use M2.4.2. This CSP drives me crazy. I can’t get rid of these warnings.
Read quite a few articles, installed Craig’s module but the warnings still persist.

Any tip will be helpful.

Thank you in advance.
PP

George_M · December 15, 2021, 10:25pm

Run bin/magento module:status to check how many csp modules you have.
I had one from theme installed and one from craig. You have to keep only one

ShaunM1976 · December 21, 2021, 10:11am

Are you seeing this when logging on as a customer on the frontend? If so, it isn’t a CSP issue, it is a Chrome Issue…see below which is a paste of my notes when I came across this issue. Note: In Magento 2.4 event fixing this issue the Recaptcha still didn’t work so I had to disable it. The github link may have a proper fix now, I haven’t revisited it for a over year.

Now getting Google Recaptcha not loading when you enter an email address. Getting unsafe-inline error, this is known…

github.com/magento/magento2

The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline''

opened 05:50PM - 30 May 21 UTC

closed 03:27PM - 20 Aug 21 UTC

minhluan259

Issue: Confirmed Component: Security Reproduced on 2.4.x Priority: P2 Progress: done Issue: ready for confirmation

### Preconditions (*)  1. Magento 2.4.2-p1 with sample data 2. Chrome v91 ### Steps to reproduce (*)  1. Open console in Google Chrome (F12) 2. Reload the homepage ### Expected result (*) 1. Console without error ### Actual result (*) 1. Console is displaying error: The Content-Security-Policy directive 'frame-ancestors' does not support the source expression ''unsafe-inline'' How to solve 'frame-ancestors' issue?

Fix:
Create /app/code/CUSTOMMODULENAME/Backend/etc/config.xml
With the following code:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <policies>
                <storefront>
                    <frame-ancestors>
                        <inline>0</inline>
                    </frame-ancestors>
                </storefront>
            </policies>
        </csp>
    </default>
</config>

• php bin/magento cache:clean

But still doesn’t load the Recaptcha when you enter your email address, so I’ve had to disable ReCAPTCHA V3 Invisible for Customer Login:

• Stores > Configuration > Security > Google reCAPTCHA Storefront > Enable for Customer Login changes form V3 to No

Hope that helps.

system · January 20, 2022, 10:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.