Add Mage_Csp Module

[Hanmac]

Description (*)

Big Inspired by #4721, but extended with:

• Seperate base config for frontend and backend in the Magento settings.
• Also allowing Layout Updates to add more directives.
• (Should I also add Events for this?)

Related Pull Requests

• see The HTTP Content-Security-Policy response header #4721

Fixed Issues (if relevant)

• fixes OpenMage/magento-lts#<issue_number>

Manual testing scenarios (*)

1. ...
2. ...

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All automated tests passed successfully (all builds are green)

[Hanmac]

@Tomasz-Silpion would you like to review this?

[empiricompany]

I'm interested in this feature, but looking at the implementation, is there a specific reason why a block that doesn't return anything was used, instead of setting the headers during the HTTP response dispatch phase (e.g., in an event like http_response_send_before)?

[Hanmac]

I'm interested in this feature, but looking at the implementation, is there a specific reason why a block that doesn't return anything was used, instead of setting the headers during the HTTP response dispatch phase (e.g., in an event like http_response_send_before)?

I want to update it with different Layout updates.
Like our shop has some design where I need to add additional values

[empiricompany]

My doubt is why add a layout update if the feature is not at the view level? Even the module you mentioned does not work on the layout, there is a particular reason for this choice?

[Hanmac]

why add a layout update if the feature is not at the view level

Because layout updates are an easy way to switch and add values to this

[empiricompany]

why cache this in config_api?

[Hanmac]

I updated the cache type and the cache id
I think it makes sense to mark this under cache_type=config ?

[empiricompany]

I tested the cache behavior of csp.xml but it doesn’t seem to be working as expected.
Here are the steps I followed:

1. Enabled only the CONFIG cache
2. Loaded the frontend and confirmed that *.cloudflare.com appears in the CSP script-src header
3. Added a new host *.test.com to csp.xml under script-src
4. Reloaded the frontend, and the changes were immediately reflected in the header — but it should still show only *.cloudflare.com until the CONFIG cache is refreshed

[Hanmac]

ugh, i need to debug it, i took the Cache thing from there: #4721

[empiricompany]

instead to create a new csp.xml we can allow modules to add directly in config.xml
like ignore_user_agents with an unique key?

magento-lts/app/code/core/Mage/Log/etc/config.xml

Line 31 in f04ef67

<ignore_user_agents>

[sreichel]

@Hanmac can you allow to create PRs to your repo?

Suggestion ... sreichel@be203c1

[Hanmac]

@Hanmac can you allow to create PRs to your repo?

Suggestion ... sreichel@be203c1

$this->items[$type][] = $data;

CS Fixer complained about this line

[sreichel]

Um, all checks are green ... https://github.com/sreichel/magento-lts/actions/runs/14600225861

(i have only removed a space)

[sreichel]

Dont want to ask for adding tests, but to review #4758.

I'll add tests for Mage_Csp asap.

[Hanmac]

@sreichel what do you think? Should I add events to the Block too?

[sreichel]

What events are you thinking about?

[Hanmac]

What events are you thinking about?

Event in Block that takes the $directives as ArrayObject, and the block too. (to access the Layout?)

So the User can define more Header depending on other values.
For example, different Captcha Module?

Edit: might need to find a good name for the Event

[sreichel]

@sreichel what do you think?

Das "Danke" manchen ein Fremdwort ist ...

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sreichel]

Closed with #4776