feat: add CSP whitelist and update Alpine.js to version 3.15.11 with hash security#159
Merged
feat: add CSP whitelist and update Alpine.js to version 3.15.11 with hash security#159
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates how the MageForge frontend inspector loads Alpine.js by switching to a newer CDN version with Subresource Integrity (SRI) and adding a Magento CSP whitelist entry so the CDN host is permitted.
Changes:
- Bumped Alpine.js CDN version in
inspector.phtmland added SRI +crossOrigin. - Added a
csp_whitelist.xmlentry to allowcdn.jsdelivr.netforscript-src.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/view/frontend/templates/inspector.phtml | Updates Alpine.js CDN URL and adds SRI/crossOrigin attributes for the dynamically injected script. |
| src/etc/csp_whitelist.xml | Adds CSP whitelist entry to permit loading scripts from cdn.jsdelivr.net. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates how MageForge’s frontend inspector loads Alpine.js from a CDN to comply with Magento CSP requirements while improving supply-chain security via SRI.
Changes:
- Upgraded Alpine.js CDN version to
3.15.11and added SRI +crossOriginhandling in the inspector bootstrap. - Rendered the inline bootstrap via Magento’s secure HTML renderer to better align with CSP nonce handling.
- Added a frontend CSP whitelist entry allowing
cdn.jsdelivr.netforscript-src.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/view/frontend/templates/inspector.phtml |
Updates Alpine loader to use jsDelivr 3.15.11 with SRI and CSP-safe inline script rendering. |
src/etc/frontend/csp_whitelist.xml |
Whitelists cdn.jsdelivr.net for script-src under Magento CSP. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the way Alpine.js is loaded in the frontend and ensures compliance with Magento's Content Security Policy (CSP) requirements. The main changes include upgrading Alpine.js to a newer version, adding Subresource Integrity (SRI) for security, and whitelisting the CDN in the CSP configuration.
Frontend JavaScript Loading:
inspector.phtmland added Subresource Integrity (SRI) andcrossOriginattributes to enhance security when loading from the CDN.Security and CSP Configuration:
csp_whitelist.xmlfile to whitelistcdn.jsdelivr.netforscript-src, ensuring the CDN is allowed by Magento's CSP module.