Magento2: Can't use livereload anymore because of new CSP policy

Created on 12 Aug 2020  ·  7Comments  ·  Source: magento/magento2

Summary (*)


I am using a tool called livereload, which helps to fasten the workflow when working with LESS.
The script does not work anymore since magento added a new module (Magento_CSP).
I get:

Refused to load the script 'http://www.company.de:35729/livereload.js' because it violates the following Content Security Policy directive ... Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback."

Note that I get this message, even though the script is hosted on my own server.
How can I whitelist this?

Examples (*)


-

Proposed solution


Make it possible to whitelist scripts loaded from own server.

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

  • [ ] Severity: S0 _- Affects critical data or functionality and leaves users with no workaround._
  • [ ] Severity: S1 _- Affects critical data or functionality and forces users to employ a workaround._
  • [x] Severity: S2 _- Affects non-critical data or functionality and forces users to employ a workaround._
  • [ ] Severity: S3 _- Affects non-critical data or functionality and does not force users to employ a workaround._
  • [ ] Severity: S4 _- Affects aesthetics, professional look and feel, “quality” or “usability”._
Csp Developer ready for confirmation Dev.Experience
Source
picture Eddcapone

All 7 comments

Hi @Eddcapone. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

  • Summary of the issue
  • Information on your environment
  • Steps to reproduce
  • Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

  • Join Magento Community Engineering Slack and ask your questions in #github channel.

    :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

m2-assistant[bot] picture m2-assistant[bot] on 12 Aug 2020

I posted a question on stackoverflow:
https://magento.stackexchange.com/questions/319636/magento-2-how-to-allow-livereload-in-csp-whitelist

Eddcapone picture Eddcapone on 12 Aug 2020

Hello,

You can already whitelist scripts, you should read : https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html

Personally, I use flancer32/csp to create rules from database.

Regards

vahir2016 picture vahir2016 on 12 Aug 2020
👍1

IMO the quickest way to bypass is disable module Magento_Csp

mrtuvn picture mrtuvn on 12 Aug 2020
😄1

Hello,

You can already whitelist scripts, you should read : https://devdocs.magento.com/guides/v2.4/extension-dev-guide/security/content-security-policies.html

Personally, I use flancer32/csp to create rules from database.

Regards

It is not described how to whitelist a script from your own server though. How can I do it and why does magento not even trust my own server?

And why do we need a custom extension for every little piece that should be standard functionality?

Eddcapone picture Eddcapone on 13 Aug 2020

It is not described how to whitelist a script from your own server though. How can I do it and why does magento not even trust my own server?

By default, Magento CSP is on "report-only" he can't block your custom script. It only shows warnings in browser's console. Are you sure your problem is related to CSP ?

vahir2016 picture vahir2016 on 13 Aug 2020
👍1

Yes it is. If I disable the module Magento_Csp then it works and I am already in report only mode.

Eddcapone picture Eddcapone on 13 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

denis-g picture denis-g  ·  3Comments
kandrejevs picture kandrejevs  ·  3Comments
BenSpace48 picture BenSpace48  ·  3Comments
PushEngineering picture PushEngineering  ·  3Comments
andreaskoch picture andreaskoch  ·  3Comments