Overview
Back to topStarting from 2.3.5, Magento introduced the Content Security Policies (CSP) tool to provide protection against Cross-Site Scripting (XSS) and similar attacks. This crucial means should not be ignored by merchants or, even worse, disabled/uninstalled because it is meant to protect customers from card skimmers, session hijacking, clickjacking, etc.
As it usually goes, the new built-in tool brings new headaches and challenges to those who manage and maintain e-commerce shops. The built-in CSP whitelist doesn't includes various external resources used throughout their websites: YouTube/Vimeo, external images, CDN, Live Chats, social network connectors, metrics, and services. Depending on the security mode deployed, these resources either can't operate as intended or result in numerous errors in the browser console.
This extension is built to help you maintain the CSP whitelist by providing means to view all current policies, add new ones, disable untrustworthy resources (added by 3rd-party modules), and toggle content security mode from within the Magento admin panel.
Features
- Simplifies switching between CSP mode right in the Magento admin – restrict or report only
- Shows all policies in grid view
- Provides a quick way to add new domains with proper group/type
- Automatically adds new records from browser report to DB
- Provides the ability to disable any unwanted record implemented in 3rd-party module
- Tracks new records after installing or updating extensions
- Fixes `directive 'frame-ancestors' does not support the source expression ''unsafe-inline''`
Demo
Technical Specifications
Back to topSeller profile
Seller contact
Current Version
2.4.1
Adobe Commerce platform compatibility
Adobe Commerce (cloud): 2.4 (current), 2.3 (obsolete)
Adobe Commerce (on-prem): 2.4 (current), 2.3 (obsolete)
Magento Open Source: 2.4 (current), 2.3 (obsolete)
Type
Stable Build
Updated
12 December, 2023
Categories
Extensions, Site Optimization, Site Monitoring
Quality Report
Back to topAll tests were conducted on the latest versions of Adobe Commerce that existed for the compatible release lines at the moment of the extension submission. Latest versions of all other software were used, as applicable.
Release Notes
Back to top2.4.1:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added support for “style-src-elem 'self'” and “script-src-elem 'self'” directives for the admin;
• Disabled “unsafe-inline” for 'frame-ancestors' for the admin.
2.4.0:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added error logging;
• Added support for wildcard (*) when specifying Value;
• Added support for Magento 2.4.4 and PHP 8.1.
2.3.5:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added support for “style-src-elem 'self'” and “script-src-elem 'self'” directives.
2.3.4:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Now Source renders a full path to the file containing policy (applicable to system policies only in M2.4+);
• The policy table is being locked when new violations are reported and now policies are created;
• Addressed an issue with the Group field sorting;
• Added support for new 'style-src-elem' and 'script-src-elem' directives.
• Addressed an issue with hash validation when editing a policy.
2.2.7:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added a setting to disable the Report-To directive.
2.2.6:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added support for protocol and port in the host field;
• Addressed an issue with duplicate records sourced from 3rd-party domains;
• Addressed a Magento issue with `directive 'frame-ancestors' does not support the source expression ''unsafe-inline''`.
2.2.2:
- Compatible with Adobe Commerce (cloud) : 2.3 2.4
- Compatible with Adobe Commerce (on-prem) : 2.3 2.4
- Compatible with Magento Open Source : 2.3 2.4
- Stability: Stable Build
-
Description:
• Added the abitlity to add new policies from Report-Uri;
• Added Source and User Agent info to the policies grid;
• Improved host validation.
Support
Back to topThe best place to start if you need help with a specific extension is to contact the developer. All Adobe Commerce developers have both a contact email and a support email listed.
Contact Vendor