Skip to content

Putting csp_whitelist.xml in theme does not work and creates intermittent issue #38933

Open
@Jakhotiya

Description

@Jakhotiya

Preconditions and environment

  • 2.4.7 and 2.4-develop

Steps to reproduce

  • Put csp_whitelist.xml under your frontend theme's etc/ directory. (You can put this in Luma theme too. Just any theme will work)
  • Clear your cache
  • Without doing anything else Open your admin page
  • now open frontend and check csp headers

Expected result

Domains listed in your custom csp_whitelist.xml under theme should have reflected on frontend

Actual result

If admin is hit first after cache flush, domains under your csp_whitelist.xml under theme are not seen on frontend.

Additional information

This bug happens because contents of csp_whitelist.xml in theme are stored in global cache.
Lets see how this works right now.
CSP cache is maintained area wise. For example, you will find 3 files in your cache

var/cache/mage--8/mage---06a_FRONTEND__CSP_WHITELIST_CONFIG
var/cache/mage--2/mage---06a_GLOBAL__CSP_WHITELIST_CONFIG
var/cache/mage--a/mage---06a_ADMINHTML__CSP_WHITELIST_CONFIG

Now the bug happens because of app/code/Magento/Csp/Model/Collector/CspWhitelistXml/FileResolver.php

public function get($filename, $scope)
    {
         $configs = $this->moduleFileResolver->get($filename, $scope);
        if ($scope === 'global') {
            $files = [];
            $theme = $this->theme;
            while ($theme) {
                /** @var CustomizationInterface $info */
                $info = $this->themeInfoFactory->create(['theme' => $theme]);
                $file = $info->getThemeFilesPath() .'/etc/' .$filename;
                if ($this->rootDir->isExist($file)) {
                    $files[] = $file;
                }
                $theme = $theme->getParentTheme();
            }
            $configs = $this->iteratorFactory->create(
                ['paths' => array_reverse($files), 'existingIterator' => $configs]
            );
        }

        return $configs;
    }

if ($scope === 'global') leads to csp_whitelist config in theme being put in global cache.
After cache flush if admin request lands on server, $theme variable is set to Magento/backend .
In this case, your file in frontend theme wont be read. Global cache is then populated according to Magento/backend

The behavior completely depends on which area request lands first, frontend or admin. This leads to poor developer experience too.

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

Metadata

Metadata

Assignees

Labels

Area: ContentComponent: CspIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedPriority: P2A defect with this priority could have functionality issues which are not to expectations.Progress: ready for devReported on 2.4.7Indicates original Magento version for the Issue report.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchTriage: Dev.ExperienceIssue related to Developer Experience and needs help with Triage to Confirm or Reject it

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions