CSP Module not working

I installed the CSP module as mentioned here but it doesn’t work for me. The module is listed as enabled but it’s like ignored. I run, of course, setup:upgrade and cleared the cache.

I’m using Magento 2.4.0 with Apache web server behind a nginx reverse proxy with HTTP basic Auth enabled.

Any ideas?

Hi @kamzata and welcome,

I built and tested the module on 2.4.0. Did you try recompiling between upgrading and cache clearing?

Upload “DigitalStartup” folder to

app/code/

Add/Remove required URLs in

app/code/DigitalStartup/Csp/etc/csp_whitelist.xml

Enable Module

bin/magento module:enable DigitalStartup_Csp

Update Magento Schema

bin/magento setup:upgrade

Compile if in Production

bin/magento setup:di:compile

Clear Cache

bin/magento cache:clean

I’m doubtful that the Nginx reverse proxy would affect anything, but I don’t know enough reverse proxies to be certain.

Yeah, that’s my thought too. I don’t think Nginx or Varnish could prevent the working but I tried many solutions without success. I also tried this module but it’s still not working. I cannot understand where is the problem.

Do you have Magento_Csp enabled? I’m assuming you do, but just checking. As DigitalStartup_Csp extends this module - Therefore, both need to be enabled.

Having said that, I guess you wouldn’t be seeing the warnings if it was off.

I got partially working using the Flancer32 extension that I linked before. I installed it, enabled and run magento fl32:csp:analyze . Now all the console errors are gone away except 1 from Paypal:

[Report Only] Refused to load the image 'https://dub.stats.paypal.com/counter2.cgi?i=127.0.0.1&p=6eaf216598124ea0799836ddab3ef7bf&t=1600355547.455&a=14' because it violates the following Content Security Policy directive: "img-src data: b.stats.paypal.com c.paypal.com widgets.magentocommerce.com

You probably just need to add the URL to your whitelist under <policy id="img-src">:

<value id="dub.stats.paypal.com" type="host">dub.stats.paypal.com</value>

Yeah, but where? That module doesn’t provide a whitelist.xml file and I cannot add it from the backend, I can just read the automatically added entries from there.

The link you shared earlier contains Docs for their module (System > Content Security Policy > CSP Rules)

Thanks, I already read it but as I said, from there I can only read the recognized entries automatically added after run magento fl32:csp:analyze. I cannot manually add any entry from there.

It appears the mage2_ext_csp module has only 2 main functions:

  1. Reports on CSP Warnings (Chrome does that anyway)
  2. Turn Report Only mode on/off

If you get mine working, you just add the rule I mentioned to the aforementioned file.

Sadly, I cannot understand why, but your module as well as the others I tried and another that I created by myself similar at yours, they simply don’t work. That’s the only one module that is working for me at the moment. However, I’ll try again with yours.

I don’t know why, but now your module works. Probably I messed up with the policy ids. Anyway, thanks!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.