Auto Added by WPeMatico
I’ve added all the google tag manager url in my csp_whitelist and those url are not blocked anymore. Still, I have an issue with a new url that I don’t know how to whitelist. The error in question is: Refused… Read More »magento 2.4.6 how to csp whitelist server-side-tagging for google tag manager?
i’m trying to receive csp reports for my magento2 (open-source) website using their official guide: https://developer.adobe.com/commerce/php/development/security/content-security-policies/ and using an endpoint generated from report-uri.com this is config.xml: <?xml version=”1.0″?> <config xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:noNamespaceSchemaLocation=”urn:magento:module:Magento_Store:etc/config.xsd”> <default> <csp> <mode> <storefront> <report_only>1</report_only> <report_uri>https://*mysubdomain*.report-uri.com/r/d/csp/reportOnly</report_uri> </storefront> <admin> <report_uri>https://*mysubdomain*.report-uri.com/r/d/csp/reportOnly</report_uri>… Read More »CSP report-only working on firefox only?
With this test code <?= /* noEscape */ $secureRenderer->renderTag(‘script’, [‘id’ => ‘testjs’], ‘var thisisatest=0;’, false ); ?> I’d expect Magento to output a script tag similar to <script id=”textjs” nonce=”random-nonce-characters”>var thisisatest=0;</script> But it’s not, instead outputting <script id=”testjs”>var thisisatest=0;</script> I’m… Read More »Magento secureRenderer not producing nonce
I’m having a free theme provided by third party named FreeGo Solwin, this theme seem to load some font and js from an external site which violate the magento CSP. I’ve try add the whitelist file into folder etc of… Read More »How do i resolve CSP for my magento custom theme
I have error ‘Refused to execute inline script because it violates the following Content Security Policy directive…’ in console. I tried to solve this in the following ways In .phtml <script type=”text/x-magento-init”> {“*”: { “gtmLoader”: { “gtmId”: “<?= $viewModel->getGtmId(); ?>”… Read More »gtm.js?id=xxx CSP error on checkout page
After updating to p8 I had the same issue as a lot of others where the checkout totally broke. This was solved by updating a lot extensions (Magepal GTM/Ecommerce) that were not CSP compatible. IE none of their JS was… Read More »Magento 2.4.5-p8 Broken CSS stlyesheet link due to OnClick and CSP issues
We’ve enable magento 2 CSP module which we used to have disable. We configure all the white list and it works fine for most of the website. We only have issues when users clicks embeded youtube videos, the website show… Read More »About CORS policy CSP configuration
I’m posting this issue with the hope we can come with some kind of centralized community agreements on how to handle CSP in checkout with the latest patch magento release and concrete example and procedure. I won’t define here why… Read More »APSB24-40 Security Patch: CSP and Checkout Updates
I have a controller that inject a phtml via the $this->_view->getLayout()->getBlock(‘block_name’)->toHtml(); code. The problem is that the template for this block has an inline javascript. I have tried to use the secure renderTag() method but it doesn’t work: when I… Read More »magento 2.4.4 csp secure renderTag not working with generated content
ISSUE: Refused to execute inline script because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com *.adobe.com data: www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net analytics.google.com www.googletagmanager.com *.newrelic.com *.nr-data.net geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com… Read More »CSP Module Issue in patch upgrade magento version 2.4.6-p6