Missing CSP Nonce Registration for Inline Script

[homecoded]

The file view/frontend/templates/hyva/add-webp-class-to-body.phtml
defines an inline-script but does not have any CSP-nonce registration.

This template is included on all pages via view/frontend/layout/hyva_default.xml, which also affects the Hyvä Checkout pages. On those pages, strict Content Security Policy rules block all unregistered inline-scripts:

Refused to execute inline script because it violates the following Content Security Policy directive

Suggested Fix:

Please add the missing call to registerInlineScript() in view/frontend/templates/hyva/add-webp-class-to-body.phtml.

Like so:
<?php $hyvaCsp->registerInlineScript(); ?>

If you're short on time, I’d be happy to submit a PR for this. Just let me know how you'd prefer to proceed.

[hostep]

For backwards compatibility with Hyvä versions that don't have $hyvaCsp being injecteded yet, I would recommend this approach:

<?php isset($hyvaCsp) && $hyvaCsp->registerInlineScript() ?>

Credits to Mollie from where I got the inspiration (over here)

[homecoded]

@hostep This is a very good idea. Thanks for that!

[jissereitsma]

Sorry for not chiming in earlier. I've got a couple of remarks to make, which lead me to say that adding Hyva CSP statements all around the place is a bad idea.

First of all, adding CSP nonces is a practice commonly advocated when talking about Magento and CSP. But nonces add much less security if they are cached, like when enabling the Full Page Cache on various pages where WebP / NextGenImages scripts are used. So, just adding CSP nonces bluntly everywhere is not the solution.

Second, the alternative to CSP nonces is to add CSP hashes instead. This is supported by the CSP solution of Hyva as well. However, again this leads to issues, for instance when too many scripts are registered on a page, making the HTTP headers large. Which again could be bypassed by adding a module that splits the headers.

Both solutions have their upsides and downsides, depending on the project. And this choice needs to be made by every integrator per project. This is why I do not prefer the CSP solution offered by Hyva. Plus, that CSP solution does not work with non-Hyva themes either. It would only be a half solution.

This is exactly, why this Yireo module and others ship with a dependency with Yireo_CspUtilities in mind, that allows an integrator to select either hash or nonce as a configuration setting. And it works with Hyva, Luma and Breeze. And it works in older Magento versions as well that don't support CSP at all.

https://github.com/yireo/Yireo_Webp2/blob/master/etc/module.xml#L6

We have been testing this module with CSP enabled in strict mode and we have been running this module in production with CSP enabled in strict mode. And simply said, the Yireo_CspUtilities approach works without issues. Plus it allows the integrator to make the preferred CSP mechanism.

So let's discuss enhancing the Yireo_CspUtilities module which fixes many scenarios for many modules in one go, instead of only fixing things for Hyva sites that are using the CSP build?

[homecoded]

Hi @jissereitsma,

thanks for the detailed explanation. Much appreciated! You raise several very valid points I hadn't fully weighed, especially regarding the broader implications in cached environments.

My initial goal was simply to resolve the checkout error as quickly as possible. In hindsight, I would agree, that my solution is not ideal.

I'll give Yireo_CspUtilities a try. It seems like good solution from a first glance. I'll report back once I've integrated it.

Thanks again for taking the time for a clear and thoughtful breakdown. This helps me a lot.