Login
0

Content Security Policies Manager for Magento 2

v2.2.2
Content Security Policies Manager for Magento 2
$49.00
Magento Edition
Pro installation
  • 2
  • 2

Magento, starting from 2.3.5, introduced the Content Security Policies (CSP) tool to ensure protection against Cross-Site Scripting (XSS) and related attacks. This is an important means that should not be ignored by shop owners or, what's worse, disabled because it protects customers from card skimmers, session hijacking, clickjacking, etc. Read more about XSS.

As it usually happens, the new tool brings new headaches to the shop owners. Many external resources used across their websites are not present in the CSP whitelist: YouTube, external images, CDN, Live Chats, various metrics, and services. These either stop working or result in numerous errors in the browser console.

This extension is built to help you organize the CSP whitelist by providing means to view all current policies, add new ones, disable unreliable resources (added by 3rd-party modules), and toggle content security mode from within the Magento admin panel.

Description

The settings controlling available CSP modes can be found here:
• Stores > Configuration > SAFEMAGE > Content Security Policies Manager

Restrict – production mode that blocks any hosts not specifically whitelisted.
Report Only - developer mode, useful for debugging and collecting statistics.

Besides, you can find extra settings that control adding new policies from the report (storefront or admin). The latter collects new CSP from browsers and automatically adds these records to the list. This handy feature would save you time and help you find missing groups and hosts. Should you like to personally approve of new policies and keep new records pending, enable Assign Pending Status to New.

Please note not all browsers support automatic reports. We guarantee proper reporting on recent versions of Chrome, Firefox, Safari. Whenever an untracked CSP host is found on a certain website page, a new record immediately gets added.

The grid page where all available CSP can be managed is located here:
• System > Tools > Content Security Policies

Statuses can be easily toggled between Disabled and Enabled with the help of mass actions. Note that installing/updating extensions or changing the configuration would result in new pending records appearing in the grid.

System policies (these can't be deleted, only disabled) are listed by default here. New records can be added, edited, and removed manually. When creating a policy, be careful to select a proper Group. The list below mentions the most common types of CSP.

font-src – fonts served from external sources
form-action – valid endpoints for submission from <form> tag
frame-src – embedded iframes
img-src – images served from external sources
script-src – external JavaScript elements
style-src – stylesheets files

Scope – application area, can be Global, Storefront, and Admin.

Code – any unique value. Generated automatically if empty.

Value – correct source host, e.g., m.youtube.com, *.example.com, etc.

Source – page URL from which a content security data was requested.

Remember to flush cache whenever you're done making any adjustments.

Features

  • Ability to change CSP mode in Magento – restrict or report only
  • Displays full policy list in grid view
  • Simple means to add new domains with proper group
  • Automatically adds new items from browser report to DB
  • Disable any unwanted record implemented in 3rd-party module
  • Tracks new records on the list after installing or updating extensions

Screenshots

Compatibility

Magento Open Source (CE) 2.3.x, 2.4.x
Magento Commerce (EE) 2.3.x, 2.4.x

Support

We provide comprehensive product support for all the Magento extensions available on this site starting from the moment of your purchasing them. If you need help on the extensions installation or on any issues relating to our products, our dedicated team of proven technical experts is at your service, ready to assist you at any time.

Changelog

new feature bugfix
v.2.2.1 (Apr 21, 2021)
Addressed an issue with reporting from Safari.
v.2.2.0 (Apr 20, 2021)
Added Source and User Agent info.
v.2.1.1 (Apr 19, 2021)
Addressed an issue with CSP reports.
v.2.1.0 (Apr 16, 2021)
Added the abitlity to add new policies from Report-Uri.
Added scope: Global, Storefront, Admin.
v.2.0.0 (Apr 9, 2021)
Initial release.

Reviews(0)

Write Your Own Review

Only registered users can write reviews. Please, log in or register