How to Disable Magento 2 Content Security Policy

By |

Magento 2,

Magento 2 consistently thrives to offer a secure platform for online businesses and every Magento 2 release is a source of security enhancements and performance improvements.

New Magento releases come with exciting features and security enhancements for store owners.

However, the Content Security Policy that is introduced as a part of Magento 2 security improvements troubled many store owners with console error messages or content security policy warnings.

You’d only know this if you have already upgraded to latest Magento 2 version. If not, download Magento 2.4.6 NOW!

We’ll go through the entire topic and everything related to the

Magento 2 content security policy in this post.

CSP is implemented in Magento 2.3.5 with an aim to offer an additional layer of defence to detect and mitigate the Cross-Site Scripting and its related data injection attacks.

Content Security Policy works in two modes:

  1. report – only – Magento reports the policy violations but does not act upon it. It is mainly used for debugging. CSP works in this mode by default.
  2. restrict mode – Magento acts in the case of policy violations.

Everything looks glorious when reading about what content security policies can do!

But the reality hit me hard.

And so will you.

Which is why you would want to disable Magento 2 Content Security Policy and post shows you how.

The problem that we are trying to solve with Magento 2 Content Security Policy:

Unethical elements that try to invade the Magento 2 store have an eye on your customers’ sensitive data. The most discussed security issue currently is “Magecart

Magecart attack is where malicious hackers target online shopping carts to steal the customers’ payment information. It is a supply chain attack that is known to be active since 2016.

A Magecart hacker embeds a piece of Javascript code, either by altering the Magento 2 source code or by redirecting the shopping cart using an injection to a website that hosts the malware.

If the hackers get access to your Magento 2 admin panel somehow, they can add benign tags using the Miscellaneous HTML feature of Magento to inject the malicious code.

This is the problem that Magento 2.3.5 CSP intends to solve!

Why is Magento 2.3.5 Content Security Policy not enough to stop Magecart or similar attacks:

CSP cannot be implemented to its full potential due to Magento’s frontend Javascript.

Talking about Inline Javascript, Magento needs to allow the “unsafe-inline” as inline JS is used massively throughout the platform. Now that’s what the attackers are looking for, i.e., inline <script> tag and Magento offers it out of compulsion!

Apart from this, another obstacle is unsafe-eval which cannot be disabled. According to the Magento 2 CSP Architectural Design Document,

“To allow merchants to use whitelisting with hash we have to get rid of event handlers provided via HTML attributes and style attributes in our templates. There is no way to disable unsafe-eval right now since we use it for UI components and some of the front-end libraries we employ need it (like jQuery). A strategy must be created to remove eval() usage from UI components.”

The content security policy implements the whitelist approach, i.e., the core functionalities work well with whitelisted domains only. The developers can use the extensible framework to whitelist any additional domains.

However, it is already noted in the part that the majority of whitelist CSPs can be bypassed as it has JSONP endpoints that can be used inappropriately.

According to Google research, 95% of CSP policies can easily be bypassed!

What to do now with Magento 2.3.5 CSP?

The traditional method is to check the entire CMS content of the checkout page periodically against the original authenticate copy. Any changes found can be either from your team or an ethical source or else your store has been attacked!

But for now, I am posting the method to disable Magento 2 CSP.

Method to disable Magento 2 Content Security Policy:

Disable the Magento_Csp module using the below command:

That’s it.

Do share your thoughts on Magento CSP in the Comments section below.

Also, I’d be grateful if you can help me spread the word about the post via social media.

Thank you.

4.9
(based on 16 Reviews)
How to Disable Magento 2 Content Security PolicyAuthor Magento Badge

Sanjay Jethva

Sanjay is the co-founder and CTO of Meetanshi with hands-on expertise with Magento since 2011. He specializes in complex development, integrations, extensions, and customizations. Sanjay is one the top 50 contributor to the Magento community and is recognized by Adobe.

His passion for Magento 2 and Shopify solutions has made him a trusted source for businesses seeking to optimize their online stores. He loves sharing technical solutions related to Magento 2 & Shopify.

Leave a Reply

Your email address will not be published. Required fields are marked *