PHP download

Download the PHP package experius/module-csp without Composer

On this page you can find all versions of the php package experius/module-csp. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download experius/module-csp
More information about experius/module-csp
Files in experius/module-csp

Vendor experius
Package module-csp
Short Description Provide a basic Content Security Policy Allowed List and report blocked resources.
License OSL-3.0

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Informations about the package module-csp

Mage2 Module Experius Csp

Installation
Main Functionalities
Basic allowed list
Content Security Policy Reporting & whitelisting
Add a resource to the allowed list permanently

Installation

In production please use the --keep-generated option

Install the module composer by running composer require experius/module-csp
enable the module by running php bin/magento module:enable Experius_Csp
apply database updates by running php bin/magento setup:upgrade
Flush the cache by running php bin/magento cache:flush

Main Functionalities

Provide a basic Content Security Policy allowed-list (whitelist) and when the Resource should be blocked it will automatically be reported within the Experius CSP Report Table (experius_csp_report).

When there is a report of a blocked directive is found, an error message will be show in the admin to notify the developer/client.

These reports can be whitelisted for directive which allow this. See "Content Security Policy Reporting & whitelisting" below for an example and more details.

IMPORTANT: Content Security Policy Report Only Mode

In the upcoming Magento 2.4 Release then the Content Security Policy Report Only Mode then will be disabled and it will validate strict.

The report-to has been disabled in this version because it is not working properly. See: \Experius\Csp\Plugin\Magento\Framework\App\Response\HttpInterface::beforeSetHeader

Basic allowed list

Currently this module contains a basic whitelist of considerd "safe" sources.

A few examples:

Google Fonts
Google Maps
Dotdigital / Dotmailer Chat
Buckaroo
etc.

For a full list for each directive, please check the following file:

Content Security Policy Reporting & whitelisting

In the Magento Admin you can view the reports which are created.

System > Tools > CSP reporting & whitelist

To avoid clutter a counter is introduced, which prevents the table from growing in size excessively with many pageviews. This is grouped by "violated_directive", "blocked_uri" and "document_uri".

@TODO: [Nice to have] consider letting louse "document_uri", since whitelist is applied across the entire Magento installation (globally).

Add a resource to the allowed list permanently

Based on the reports you can easily add a csp_whitelist.xml file within your own modules and when you are done just delete the record because it no longer is relevant. More information about how this xml file works you can find here:

https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

For example Report:

document_uri: https://example.com/
referer:https://example.com/
violated_directive: img-src
original_policy: font-src fonts.googleapis.com fonts.gstatic.com https://www.gstatic.com https://fonts.gstatic.com 'self' 'unsafe-inline'; form-action 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src cdn.dnky.co youtube.com www.youtube.com https:/
blocked_uri: https://maps.gstatic.com/mapfiles/openhand_8_8.cur
date: 2020-06-25 16:42:23

Fix:

# app/code/Custom/Csp/etc/csp_whitelist
<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd">
    <policies>
        <policy id="img-src">
            <values>
                <value id="gstatic" type="host">*.gstatic.com</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

All versions of module-csp with dependencies

PHP Build Version

Package Version

Version 2.0.3 Release 15. Apr 2022
create-project require 0 people choosed require and
0 people choosed create-project.

Download

Download latest version of module-csp from vendor experius

No informations.

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package experius/module-csp contains the following files

Loading the files please wait ....