在Magento中禁用內容安全策略(CSP)
從版本2.3.5開始,Magento實施了內容安全策略(CSP),默認情況下,該策略在“僅報告”模式下啟用。在上一篇文章中,我概述了有關Magento 2.3.5中內容安全策略的有用性的一些擔憂。在這裡,我們將研究如何禁用內容安全策略。
如何禁用內容安全策略(CSP)
禁用內容安全策略的最佳方法是禁用該Magento_Csp
模塊:
php bin/magento module:disable Magento_Csp
出於安全原因,Magento管理面板上沒有打開/關閉開關(否則,具有Magento管理員訪問權限的潛在攻擊者可以通過禁用模塊來避免檢測到)。因此,必須從命令行完成。
我為什麼要這樣做
正如Magento 2.3.5 +內容安全策略(CSP)中所討論的:傻瓜的差事CSP對於大多數Magento商家所面臨的威脅模型幾乎沒有價值。在大多數情況下,它目前只是開發人員控制台中的噪聲源,只會進一步加劇警報疲勞。
開箱即用的Magento 2.3.5 Commerce Edition安裝程序在加載管理面板時會在控制台中顯示所有這些錯誤:
The Content Security Policy 'font-src 'self' 'unsafe-inline'; form-action http://secure.authorize.nethttp://test.authorize.nethttp://geostag.cardinalcommerce.comhttp://geo.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://1eaf.cardinalcommerce.comhttp://centinelapistag.cardinalcommerce.comhttp://centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src http://secure.authorize.nethttp://test.authorize.nethttp://geostag.cardinalcommerce.comhttp://geo.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://1eaf.cardinalcommerce.comhttp://centinelapistag.cardinalcommerce.comhttp://centinelapi.cardinalcommerce.comhttp://www.paypal.comhttp://www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src http://widgets.magentocommerce.comhttp://www.googleadservices.comhttp://www.google-analytics.comhttp://t.paypal.comhttp://www.paypal.comhttp://www.paypalobjects.comhttp://fpdbs.paypal.comhttp://fpdbs.sandbox.paypal.com *.http://vimeocdn.comhttp://s.ytimg.com 'self' 'unsafe-inline'; script-src http://assets.adobedtm.comhttp://secure.authorize.nethttp://test.authorize.nethttp://geostag.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://geoapi.cardinalcommerce.comhttp://1eafapi.cardinalcommerce.comhttp://songbird.cardinalcommerce.comhttp://includestest.ccdc02.comhttp://js.authorize.nethttp://jstest.authorize.nethttp://www.googleadservices.comhttp://www.google-analytics.comhttp://www.paypal.comhttp://www.sandbox.paypal.comhttp://www.paypalobjects.comhttp://t.paypal.comhttp://js.braintreegateway.comhttp://s.ytimg.comhttp://video.google.comhttp://vimeo.comhttp://www.vimeo.comhttp://cdn-scripts.signifyd.comhttp://www.youtube.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src http://getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src http://geostag.cardinalcommerce.comhttp://geo.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://1eaf.cardinalcommerce.comhttp://centinelapistag.cardinalcommerce.comhttp://centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. (index):1 [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Work+Sans:400,700.less' because it violates the following Content Security Policy directive: "style-src http://getfirebug.com 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. (index):1 [Report Only] Refused to load the script 'https://www.google.com/recaptcha/api.js' because it violates the following Content Security Policy directive: "script-src http://assets.adobedtm.comhttp://secure.authorize.nethttp://test.authorize.nethttp://geostag.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://geoapi.cardinalcommerce.comhttp://1eafapi.cardinalcommerce.comhttp://songbird.cardinalcommerce.comhttp://includestest.ccdc02.comhttp://js.authorize.nethttp://jstest.authorize.nethttp://www.googleadservices.comhttp://www.google-analytics.comhttp://www.paypal.comhttp://www.sandbox.paypal.comhttp://www.paypalobjects.comhttp://t.paypal.comhttp://js.braintreegateway.comhttp://s.ytimg.comhttp://video.google.comhttp://vimeo.comhttp://www.vimeo.comhttp://cdn-scripts.signifyd.comhttp://www.youtube.com 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. api.js:1 [Report Only] Refused to load the script 'https://www.gstatic.com/recaptcha/releases/wk6lx42JIeYmEAQSHndnyT8Q/recaptcha__en.js' because it violates the following Content Security Policy directive: "script-src http://assets.adobedtm.comhttp://secure.authorize.nethttp://test.authorize.nethttp://geostag.cardinalcommerce.comhttp://1eafstag.cardinalcommerce.comhttp://geoapi.cardinalcommerce.comhttp://1eafapi.cardinalcommerce.comhttp://songbird.cardinalcommerce.comhttp://includestest.ccdc02.comhttp://js.authorize.nethttp://jstest.authorize.nethttp://www.googleadservices.comhttp://www.google-analytics.comhttp://www.paypal.comhttp://www.sandbox.paypal.comhttp://www.paypalobjects.comhttp://t.paypal.comhttp://js.braintreegateway.comhttp://s.ytimg.comhttp://video.google.comhttp://vimeo.comhttp://www.vimeo.comhttp://cdn-scripts.signifyd.comhttp://www.youtube.com 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. (anonymous) @ api.js:1 (anonymous) @ api.js:1 6[Report Only] Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' 'unsafe-inline'".
由這些錯誤引起的開發人員之間的廣泛困惑可以在StackExchange上看到: