CSP Strict Mode #44
Description
Given you have strict mode enabled (e.g., in the checkout) and include a script, which requires marketing cookie consent like this:
<script type="text/plain" data-cookieconsent="marketing">
console.log('Marketing script loaded.');
</script>
In the checkout, you will get an error:
uc.js:2 Executing inline script violates the following Content Security Policy directive '{{ CSP_DIRECTIVE }}'. Either the 'unsafe-inline' keyword, a hash ('sha256-{{ HASH }}'), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
The process is the following:
- During page load, the script will not be executed as it has
type="text/plain". - When Cookiebot loads and detects that marketing cookies have been consented, it will try to inject the script with
type="text/javascript"viainsertBefore. - The insertion of the script will be blocked because external scripts are not allowed to inject scripts into the page.
We struggle to find a way how we can add support for this use case in the extension without weakening the security. Options:
-
Users of the module need to add the hashes of all such scripts shown in the error messages in the console to their project-specific
csp_whitelist.xmllike this:<?xml version="1.0" encoding="UTF-8"?> <csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd"> <policies> <policy id="script-src"> <values> <value id="cookiebot_inline_script_x" type="hash" algorithm="sha256">{{ HASH }}</value> </values> </policy> </policies> </csp_whitelist> -
We need to add
strict-dynamicto the CSP directive. This weakens security, so this is not really a viable option.
We are running out of ideas. If anyone has any idea or input, please share :)