├── registration.php
├── etc
    ├── module.xml
    ├── di.xml
    ├── acl.xml
    └── adminhtml
    │   └── system.xml
├── composer.json
├── LICENSE
├── Helper
    └── Configuration.php
├── Block
    └── Adminhtml
    │   └── Form
    │       └── Field
    │           ├── TypeColumn.php
    │           └── Policies.php
├── README.md
├── Model
    └── Source
    │   └── Type.php
└── Plugin
    └── CspWhitelist.php


/registration.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 | use Magento\Framework\Component\ComponentRegistrar;
4 | 
5 | ComponentRegistrar::register(ComponentRegistrar::MODULE, 'CtiDigital_CspWhitelist', __DIR__);
6 | 


--------------------------------------------------------------------------------
/etc/module.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 |         xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
4 |     <module name="CtiDigital_CspWhitelist"/>
5 | </config>
6 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "ctidigital/magento2-csp-whitelist",
 3 |   "version": "1.0.1",
 4 |   "description": "Control CSP via the admin area",
 5 |   "type": "magento2-module",
 6 |   "license": [
 7 |     "MIT"
 8 |   ],
 9 |   "autoload": {
10 |     "files": [
11 |       "registration.php"
12 |     ],
13 |     "psr-4": {
14 |       "CtiDigital\\CspWhitelist\\": ""
15 |     }
16 |   }
17 | }
18 | 


--------------------------------------------------------------------------------
/etc/di.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3 |         xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
 4 |     <type name="Magento\Csp\Model\Collector\CspWhitelistXmlCollector">
 5 |         <plugin name="ctidigital_csp_whitelist" type="CtiDigital\CspWhitelist\Plugin\CspWhitelist"/>
 6 |     </type>
 7 | 
 8 |     <type name="CtiDigital\CspWhitelist\Plugin\CspWhitelist">
 9 |         <arguments>
10 |             <argument name="configReader" xsi:type="object">Magento\Csp\Model\Collector\CspWhitelistXml\Data</argument>
11 |         </arguments>
12 |     </type>
13 | </config>
14 | 


--------------------------------------------------------------------------------
/etc/acl.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3 |         xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
 4 |     <acl>
 5 |         <resources>
 6 |             <resource id="Magento_Backend::admin">
 7 |                 <resource id="Magento_Backend::stores">
 8 |                     <resource id="Magento_Backend::stores_settings">
 9 |                         <resource id="Magento_Config::config">
10 |                             <resource id="CtiDigital_CspWhitelist::config" title="CSP Whitelist"/>
11 |                         </resource>
12 |                     </resource>
13 |                 </resource>
14 |             </resource>
15 |         </resources>
16 |     </acl>
17 | </config>
18 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 CTI Digital
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Helper/Configuration.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace CtiDigital\CspWhitelist\Helper;
 4 | 
 5 | use Magento\Framework\App\Helper\AbstractHelper;
 6 | use Magento\Framework\Serialize\Serializer\Json;
 7 | use Magento\Framework\App\Helper\Context;
 8 | 
 9 | class Configuration extends AbstractHelper
10 | {
11 | 
12 |     const CONFIG_ENABLE = 'csp/general/enabled';
13 |     const CONFIG_POLICIES = 'csp/general/policies';
14 | 
15 |     /** @var Json */
16 |     private $serialize;
17 | 
18 |     /**
19 |      * @param Context $context
20 |      * @param Json $serialize
21 |      */
22 |     public function __construct(
23 |         Context $context,
24 |         Json $serialize
25 |     ) {
26 |         $this->serialize = $serialize;
27 |         parent::__construct($context);
28 |     }
29 | 
30 |     /**
31 |      * check to see if module is enabled
32 |      *
33 |      * @return bool
34 |      */
35 |     public function isEnabled(): bool
36 |     {
37 |         return $this->scopeConfig->isSetFlag(self::CONFIG_ENABLE);
38 |     }
39 | 
40 |     /**
41 |      * get a list of policies
42 |      *
43 |      * @return array
44 |      */
45 |     public function getPolicies(): array
46 |     {
47 |         $data = [];
48 |         $policies = $this->scopeConfig->getValue(self::CONFIG_POLICIES);
49 |         if (!$policies) {
50 |             return $data;
51 |         }
52 |         foreach ($this->serialize->unserialize($policies) as $policy) {
53 |             $data[$policy['policy']][] = $policy['value'];
54 |         }
55 |         return $data;
56 |     }
57 | }
58 | 


--------------------------------------------------------------------------------
/Block/Adminhtml/Form/Field/TypeColumn.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace CtiDigital\CspWhitelist\Block\Adminhtml\Form\Field;
 4 | 
 5 | use CtiDigital\CspWhitelist\Model\Source\Type;
 6 | use Magento\Framework\View\Element\Context;
 7 | use Magento\Framework\View\Element\Html\Select;
 8 | 
 9 | class TypeColumn extends Select
10 | {
11 | 
12 |     /** @var Type */
13 |     private $type;
14 | 
15 |     /**
16 |      * @param Context $context
17 |      * @param Type $type
18 |      * @param array $data
19 |      */
20 |     public function __construct(
21 |         Context $context,
22 |         Type $type,
23 |         array $data = []
24 |     ) {
25 |         $this->type = $type;
26 |         parent::__construct($context, $data);
27 |     }
28 | 
29 |     /**
30 |      * Set "name" for <select> element
31 |      *
32 |      * @param string $value
33 |      * @return $this
34 |      */
35 |     public function setInputName(string $value): TypeColumn
36 |     {
37 |         return $this->setName($value);
38 |     }
39 | 
40 |     /**
41 |      * Set "id" for <select> element
42 |      *
43 |      * @param $value
44 |      * @return $this
45 |      */
46 |     public function setInputId($value): TypeColumn
47 |     {
48 |         return $this->setId($value);
49 |     }
50 | 
51 |     /**
52 |      * Render block HTML
53 |      *
54 |      * @return string
55 |      * @SuppressWarnings(PHPMD.CamelCaseMethodName)
56 |      */
57 |     public function _toHtml(): string
58 |     {
59 |         if (!$this->getOptions()) {
60 |             $this->setOptions($this->type->toOptionArray());
61 |         }
62 |         return parent::_toHtml();
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/etc/adminhtml/system.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" ?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3 |         xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
 4 |     <system>
 5 |         <tab id="cti" translate="label" sortOrder="1000">
 6 |             <label>CTI</label>
 7 |         </tab>
 8 |         <section id="csp" translate="label" sortOrder="100" showInDefault="1" showInWebsite="1" showInStore="1">
 9 |             <class>separator-top</class>
10 |             <label>CSP Whitelist</label>
11 |             <tab>cti</tab>
12 |             <resource>CtiDigital_CspWhitelist::config</resource>
13 |             <group id="general" translate="label" sortOrder="10" showInDefault="1" showInWebsite="1" showInStore="1">
14 |                 <label>General</label>
15 |                 <field id="enabled" translate="label" type="select" sortOrder="10" showInDefault="1" showInWebsite="1"
16 |                        showInStore="1">
17 |                     <label>Enabled</label>
18 |                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
19 |                     <comment><![CDATA[Enables/disables CSP Whitelisting]]></comment>
20 |                 </field>
21 |                 <field id="policies" translate="label" sortOrder="20" showInDefault="1" showInWebsite="1"
22 |                        showInStore="1">
23 |                     <label>Policies</label>
24 |                     <frontend_model>CtiDigital\CspWhitelist\Block\Adminhtml\Form\Field\Policies</frontend_model>
25 |                     <backend_model>Magento\Config\Model\Config\Backend\Serialized\ArraySerialized</backend_model>
26 |                 </field>
27 |             </group>
28 |         </section>
29 |     </system>
30 | </config>
31 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Magento 2 CSP Whitelist
 2 | A Magento 2 module created by [CTI Digital] to create and maintain Content Security Policies via the admin panel.
 3 | 
 4 | ## Installation
 5 | - `composer require ctidigital/magento2-csp-whitelist`
 6 | - `php bin/magento module:enable CtiDigital_CspWhitelist`
 7 | - `php bin/magento setup:upgrade`
 8 | 
 9 | ## Usage
10 | Identify the resource blocked by the Content Security Policy:
11 | ```
12 | Refused to load https://www.google-analytics.com/analytics.js because it does not appear in the script-src directive of the Content Security Policy.
13 | ```
14 | 1. Take note of the resource `google-analytics.com` or `*.google-analytics.com`.
15 | 2. Check which policy it violates `script-src`.
16 | 3. Navigate to admin panel `Stores->Configuration->Cti->CSP Whitelist`
17 | 4. Ensure the module is enabled. Add a new row, select a resource and add the value.
18 | 5. Save and flush the relevant caches.
19 | 
20 | ## Policies
21 | ```
22 | POLICY NAME	DESCRIPTION
23 | default-src	The default policy.
24 | base-uri	Defines which URLs can appear in a page’s <base> element.
25 | child-src	Defines the sources for workers and embedded frame contents.
26 | connect-src	Defines the sources that can be loaded using script interfaces.
27 | font-src	Defines which sources can serve fonts.
28 | form-action	Defines valid endpoints for submission from <form> tags.
29 | frame-ancestors	Defines the sources that can embed the current page.
30 | frame-src	Defines the sources for elements such as <frame> and <iframe>.
31 | img-src         Defines the sources from which images can be loaded.
32 | manifest-src	Defines the allowable contents of web app manifests.
33 | media-src	Defines the sources from which images can be loaded.
34 | object-src	Defines the sources for the <object>, <embed>, and <applet> elements.
35 | script-src	Defines the sources for JavaScript <script> elements.
36 | style-src	Defines the sources for stylesheets.
37 | ```
38 | 
39 | [CTI Digital]:https://www.ctidigital.com/


--------------------------------------------------------------------------------
/Block/Adminhtml/Form/Field/Policies.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace CtiDigital\CspWhitelist\Block\Adminhtml\Form\Field;
 4 | 
 5 | use Magento\Config\Block\System\Config\Form\Field\FieldArray\AbstractFieldArray;
 6 | use Magento\Framework\DataObject;
 7 | use Magento\Framework\Exception\LocalizedException;
 8 | use Magento\Framework\View\Element\BlockInterface;
 9 | 
10 | class Policies extends AbstractFieldArray
11 | {
12 |     /** @var BlockInterface */
13 |     private $typeRenderer;
14 | 
15 |     /**
16 |      * @SuppressWarnings(PHPMD.CamelCaseMethodName)
17 |      */
18 |     protected function _prepareToRender()
19 |     {
20 |         $this->addColumn('policy', [
21 |             'label' => __('Policy Type'),
22 |             'class' => 'required-entry',
23 |             'renderer' => $this->getTypeRenderer(),
24 |         ]);
25 |         $this->addColumn('value', ['label' => __('Value'), 'class' => 'required-entry']);
26 | 
27 |         $this->_addAfter = false;
28 |         $this->_addButtonLabel = __('Add');
29 |     }
30 | 
31 |     /**
32 |      * @SuppressWarnings(PHPMD.CamelCaseMethodName)
33 |      * @param DataObject $row
34 |      */
35 |     protected function _prepareArrayRow(DataObject $row)
36 |     {
37 |         $options = [];
38 |         $policy = $row->getPolicy();
39 |         if ($policy !== null) {
40 |             $options['option_' . $this->getTypeRenderer()->calcOptionHash($policy)] = 'selected="selected"';
41 |         }
42 |         $row->setData('option_extra_attrs', $options);
43 |     }
44 | 
45 |     /**
46 |      * @return BlockInterface
47 |      */
48 |     private function getTypeRenderer(): BlockInterface
49 |     {
50 |         if (!$this->typeRenderer) {
51 |             try {
52 |                 $this->typeRenderer = $this->getLayout()->createBlock(
53 |                     TypeColumn::class,
54 |                     '',
55 |                     ['data' => ['is_render_to_js_template' => true]]
56 |                 );
57 |             } catch (LocalizedException $e) {
58 |                 return $this->typeRenderer;
59 |             }
60 |         }
61 |         return $this->typeRenderer;
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------
/Model/Source/Type.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace CtiDigital\CspWhitelist\Model\Source;
 4 | 
 5 | use Magento\Eav\Model\Entity\Attribute\Source\AbstractSource;
 6 | 
 7 | class Type extends AbstractSource
 8 | {
 9 |     const SOURCE_DEFAULT = 'default-src';
10 |     const SOURCE_BASE = 'base-uri';
11 |     const SOURCE_CHILD = 'child-src';
12 |     const SOURCE_CONNECT = 'connect-src';
13 |     const SOURCE_FONT = 'font-src';
14 |     const SOURCE_FORM = 'form-action';
15 |     const SOURCE_FRAME_ANCESTORS = 'frame-ancestors';
16 |     const SOURCE_FRAME = 'frame-src';
17 |     const SOURCE_IMG = 'img-src';
18 |     const SOURCE_MANIFEST = 'manifest-src';
19 |     const SOURCE_MEDIA = 'media-src';
20 |     const SOURCE_OBJECT = 'object-src';
21 |     const SOURCE_SCRIPT = 'script-src';
22 |     const SOURCE_STYLE = 'style-src';
23 | 
24 |     /**
25 |      * @return array[]|null
26 |      */
27 |     public function getAllOptions(): ?array
28 |     {
29 |         if ($this->_options === null) {
30 |             $this->_options = [
31 |                 ['label' => __('default-src') , 'value' => self::SOURCE_DEFAULT],
32 |                 ['label' => __('base-uri') , 'value' => self::SOURCE_BASE],
33 |                 ['label' => __('child-src') , 'value' => self::SOURCE_CHILD],
34 |                 ['label' => __('connect-src') , 'value' => self::SOURCE_CONNECT],
35 |                 ['label' => __('font-src') , 'value' => self::SOURCE_FONT],
36 |                 ['label' => __('form-action') , 'value' => self::SOURCE_FORM],
37 |                 ['label' => __('frame-ancestors') , 'value' => self::SOURCE_FRAME_ANCESTORS],
38 |                 ['label' => __('frame-src') , 'value' => self::SOURCE_FRAME],
39 |                 ['label' => __('img-src') , 'value' => self::SOURCE_IMG],
40 |                 ['label' => __('manifest-src') , 'value' => self::SOURCE_MANIFEST],
41 |                 ['label' => __('media-src') , 'value' => self::SOURCE_MEDIA],
42 |                 ['label' => __('object-src') , 'value' => self::SOURCE_OBJECT],
43 |                 ['label' => __('script-src') , 'value' => self::SOURCE_SCRIPT],
44 |                 ['label' => __('style-src') , 'value' => self::SOURCE_STYLE]
45 |             ];
46 |         }
47 |         return $this->_options;
48 |     }
49 | }
50 | 


--------------------------------------------------------------------------------
/Plugin/CspWhitelist.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace CtiDigital\CspWhitelist\Plugin;
 4 | 
 5 | use CtiDigital\CspWhitelist\Helper\Configuration;
 6 | use Magento\Csp\Api\Data\PolicyInterface;
 7 | use Magento\Csp\Model\Collector\CspWhitelistXmlCollector;
 8 | use Magento\Framework\Config\DataInterface as ConfigReader;
 9 | use Magento\Csp\Model\Policy\FetchPolicy;
10 | use Magento\Csp\Model\Policy\FetchPolicyFactory;
11 | 
12 | class CspWhitelist
13 | {
14 |     /** @var ConfigReader */
15 |     private $configReader;
16 | 
17 |     /** @var Configuration */
18 |     private $configuration;
19 | 
20 |     /** @var FetchPolicy */
21 |     private $fetchPolicy;
22 | 
23 |     /**
24 |      * @param ConfigReader $configReader
25 |      * @param Configuration $configuration
26 |      * @param FetchPolicyFactory $fetchPolicy
27 |      */
28 |     public function __construct(
29 |         ConfigReader $configReader,
30 |         Configuration $configuration,
31 |         FetchPolicyFactory $fetchPolicy
32 |     ) {
33 |         $this->configReader = $configReader;
34 |         $this->configuration = $configuration;
35 |         $this->fetchPolicy = $fetchPolicy;
36 |     }
37 | 
38 |     /**
39 |      * @param CspWhitelistXmlCollector $subject
40 |      * @param callable $proceed
41 |      * @param PolicyInterface[] $defaultPolicies
42 |      * @return array
43 |      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
44 |      */
45 |     public function aroundCollect(
46 |         CspWhitelistXmlCollector $subject,
47 |         callable $proceed,
48 |         array $defaultPolicies = []
49 |     ): array {
50 |         if (!$this->configuration->isEnabled()) {
51 |             return $proceed($defaultPolicies);
52 |         }
53 |         $customPolicies = $this->configuration->getPolicies();
54 |         $policies = $defaultPolicies;
55 |         $config = $this->configReader->get(null);
56 |         foreach ($config as $policyId => $values) {
57 |             if (isset($customPolicies[$policyId])) {
58 |                 foreach ($customPolicies[$policyId] as $policy) {
59 |                     $values['hosts'][] = $policy;
60 |                 }
61 |             }
62 | 
63 |             $policies[] = $this->fetchPolicy->create([
64 |                 'id' => $policyId,
65 |                 'noneAllowed' => false,
66 |                 'hostSources' => $values['hosts'],
67 |                 'schemeSources' => [],
68 |                 'selfAllowed' => false,
69 |                 'inlineAllowed' => false,
70 |                 'evalAllowed' => false,
71 |                 'nonceValues' => [],
72 |                 'hashValues' => $values['hashes'],
73 |                 'dynamicAllowed' => false,
74 |                 'eventHandlersAllowed' => false
75 |             ]);
76 |         }
77 | 
78 |         return $policies;
79 |     }
80 | }
81 | 


--------------------------------------------------------------------------------