background

August 2, 2024

Magento, Hyvä Checkout and CSP

Yireo Blog Post

For some time now, Magento has been shipping with a CSP module, in general for security reasons but more specifically for PCI compliance. Magento 2.4.7 changed the game and Hyvä is as-of-yet not compatible with these new changes. But there are solutions.

Magento 2.4.7

For a long time, CSP has been shipped already in the Magento core (in the form of a module Magento_Csp). However, not everyone liked CSP. The advocates of CSP immediately reply that it is a requirement for PCI compliance, but PCI compliance is not required for every webshop out there. (During a free Yireo webinar on August 30th 2024, we'll explain more about this, with a simple example being the Yireo shop.)

The main thing is that with Magento 2.4.7 (released April 9th) two things changed: First of all, various modules now require the Magento_Csp module to be present, otherwise DI compilation fails. Disabling the Magento_Csp module does not work anymore, removing the module with composer replacements does not work either.

Second, the restrict mode of CSP is enabled on the checkout (or better said: payment pages), plus that same mode restricts the usage of inline scripts. This effectively means that anyone who is using the CSP core module together with third-party additions that are not CSP compatible yet, has a broken checkout. This stirred up discussions in the community for the last couple of months.

Hyvä 1.3.9 is not compatible with CSP

Now comes the annoying thing with Hyvä: It's latest release 1.3.9 (at the time of this writing) is not compatible with these latest CSP changes - as far as I see. The changelogs reveal that some work on CSP was done in the past. But specifically, the inline scripts are a big issue: With Hyvä, Alpine scripts are inline by default and every single one of those scripts are marked by Magento as risky (leaving a JavaScript warning in the error console, when the CSP reporting mode is on).

Adding to this, the Magento 2.4.7 release turned off the reporting mode in the checkout (as mentioned above), which means that a typical Hyvä Checkout installation is broken. A huge bummer.

Workarounds

There are workarounds though. First of all, the reporting mode could be turned on again in the checkout by programmatically extending the configuration (for example, adding lines to app/etc/env.php). Second, there are still ways to disable CSP anyway. For instance, I created a simple Yireo_DisableCsp module, but there are alternatives as well.

However, turning off CSP is not always an option. Again, if your shop needs to be PCI compliant (and I'm not diving into the details of that here) then you will need to have CSP enabled. And if you have CSP enabled, you need a fix for Hyvä it's inline scripts, especially if you are using the Hyvä Checkout.

My own Google Tag Manager extension

I had the same issue with my Yireo_GoogleTagManager2 extension. Because I realized that disabling CSP is just a temporary fix, I sat down to come up with a better solution. The simple approach was to go through every single script shipped with my module and make it CSP-compliant (nonces, $secureRenderer, etc). However, I was annoyed by this approach because I needed to do this 12 times or so, and I'd like to see myself as lazy.

So I created a generic solution instead: First of all, in the GoogleTagManager, by simply converting any inline script in any template into a CSP nonce-based script.

Yireo CspWhitelistInlineJs works for Hyvä too

I then extracted the same functionality to a generic module - Yireo_CspWhitelistInlineJs - and quickly found out that this fixed any CSP issue with inline scripts with any module I tried. This included the Hyvä Checkout as well.

In other words, my Yireo_CspWhitelistInlineJs module could be used with Hyvä / Hyvä Checkout installations where CSP needs to be enabled to be PCI-compliant. Problem solved. And no breaking changes.

There are some theoretical downsides to this automated approach, which I'll discuss in another blog. Also, there are other similar solutions as well, most of them paid - you're welcome.

What is next?

Currently, Hyvä is investigating its own solution. Perhaps it is based on my own solution, perhaps it is done differently. Stay tuned for that.

However, I personally think that a lot of developers - me, Hyvä, other module vendors - overlooked the importance of CSP in the past. Also, the fact that Hyvä has not brought a solution in four months time (since the release of Magento 2.4.7 in April till now) causes me to say that the strategy towards CSP needs to change.

A Yireo webinar

This story is actually just one of many out there when it comes to CSP. The CSP technology (including the modifications needing to be made in Magento) is quite diverse, and it quickly leads to discussions. To initiate further discussions, Yireo is organizing a free webinar on August 30th.

You're welcome to join. Just make sure to register in advance: /webinar/2024-magento-csp

Posted on August 2, 2024

Join our free webinar on August 30th on implementing CSP in Magento and whether you should deal with it or not

Preregister now

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.