The HTTP Content-Security-Policy response header

[Tomasz-Silpion]

Based on SecurityHeaders, OpenMage does not have any CSP headers implemented, and the overall page rating is D. The only resource that somewhat addresses this issue is Netalico's Magento 1 CSP module, which I found on GitHub.

Unlike Magento 2, there is no native solution for this. Shouldn't we implement a Mage_Csp addon for OpenMage, or extend it within the Mage_Core namespace?

I've just quickly implemented a simple version of this. What's your opinion?

081d8e3

[pquerner]

I would need to read up on that topic, as I know next to nothing about it.
Your solution seems neat tho, apart from some smaller things (copyright year, the usual :D).

Whats the csp.xml file you want to request in one of the files? How should that look like?

[Tomasz-Silpion]

I will start introducing that into my websites, then come back with some adjustments sooner or later.

At the moment csp.xml file can be placed into any module /etc/ folder alike api.xml or other files. Sample content:

<config>
    <csp>
        <connect-src>
            <host>*.doubleclick.net</host>
        </connect-src>
        <img-src>
            <host>*.google.pl</host>
        </img-src>
    </csp>
</config>

Adobe Commerce uses similar approach https://developer.adobe.com/commerce/php/development/security/content-security-policies/

[justinbeaty]

Nice, I’ve had this on my todo list to investigate for some time. My ideal features would be to have different headers for frontend, frontend checkout, admin, and admin checkout. It would also be nice to have a helper method to output hashed / nonce script blocks, but we also have so many onXXX="" and style="" attributes, so that’s less important.

[Hanmac]

Some things:

• I would like to see an option for backend too (maybe even different csp lists for backend?)
• the default values you currently define as a fixed list, i think they should all be moved to configs.
• "object-src" => "'none'", doesn't this mean that nothing can overwrite object-src ? You should probably add 'none' when a section is empty?