Description
Preconditions and environment
- 2.4.7 and 2.4-develop
Steps to reproduce
- Put csp_whitelist.xml under your frontend theme's etc/ directory. (You can put this in Luma theme too. Just any theme will work)
- Clear your cache
- Without doing anything else Open your admin page
- now open frontend and check csp headers
Expected result
Domains listed in your custom csp_whitelist.xml under theme should have reflected on frontend
Actual result
If admin is hit first after cache flush, domains under your csp_whitelist.xml under theme are not seen on frontend.
Additional information
This bug happens because contents of csp_whitelist.xml in theme are stored in global cache.
Lets see how this works right now.
CSP cache is maintained area wise. For example, you will find 3 files in your cache
var/cache/mage--8/mage---06a_FRONTEND__CSP_WHITELIST_CONFIG
var/cache/mage--2/mage---06a_GLOBAL__CSP_WHITELIST_CONFIG
var/cache/mage--a/mage---06a_ADMINHTML__CSP_WHITELIST_CONFIG
Now the bug happens because of app/code/Magento/Csp/Model/Collector/CspWhitelistXml/FileResolver.php
public function get($filename, $scope)
{
$configs = $this->moduleFileResolver->get($filename, $scope);
if ($scope === 'global') {
$files = [];
$theme = $this->theme;
while ($theme) {
/** @var CustomizationInterface $info */
$info = $this->themeInfoFactory->create(['theme' => $theme]);
$file = $info->getThemeFilesPath() .'/etc/' .$filename;
if ($this->rootDir->isExist($file)) {
$files[] = $file;
}
$theme = $theme->getParentTheme();
}
$configs = $this->iteratorFactory->create(
['paths' => array_reverse($files), 'existingIterator' => $configs]
);
}
return $configs;
}
if ($scope === 'global')
leads to csp_whitelist config in theme being put in global cache.
After cache flush if admin request lands on server, $theme variable is set to Magento/backend .
In this case, your file in frontend theme wont be read. Global cache is then populated according to Magento/backend
The behavior completely depends on which area request lands first, frontend or admin. This leads to poor developer experience too.
Release note
No response
Triage and priority
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.