mage2_ext_csp

Module to collect CSP violations reports and convert it to the CSP rules.

Attention! Starting from version 0.0.5 module's functionality is disabled by default. You need explicitly enable module in Stores / Configuration / Security / CSP / General.

Description

There are a lot of Content Security Policy (CSP) warnings in Javascript console for Magento 2.3.5+:

This module adds report-uri ...; directive to CSP header, collects reports (separately for admin & front areas) then generates new rules to eliminate CSP warnings in console. Cron tasks to analyze reports & generate rules starts hourly.

The main goal of this module is to remove CSP errors from JS console completely but you can use this module to collect reports only (just disable activation for new rules in config).

You can switch CSP from report only to strict mode (set Report Only to false in config) after all violation reports will be converted to the rules and all not-allowed content will be locked by browser.

Installation

composer.json

"require": {
    "flancer32/mage2_ext_csp": "*"
}

$ ./bin/magento deploy:mode:set developer
$ composer require flancer32/mage2_ext_csp
$ ./bin/magento setup:upgrade
$ ./bin/magento deploy:mode:set production
$ ./bin/magento cache:clean

Docs

• Configuration
• Usage strategy
• Grids:
  • Violations reports
  • CSP rules
• CLI
• Cron
• DB structure