Download the PHP package hyva-themes/magento2-optimized-csp-allowlist without Composer

On this page you can find all versions of the php package hyva-themes/magento2-optimized-csp-allowlist. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package magento2-optimized-csp-allowlist

Content Security Policy Optimized Allowlist

This extension optimizes the Content Security Policy (CSP) for Magento by allowing selective loading of csp_whitelist.xml files, reducing security risks associated with unnecessary domain allowances and potential XSS vulnerabilities.

Description

The CSP header Content-Security-Policy contains a list of allowed domains which are to both your frontend and backend of your Magento installation and no validation is done if these domains are actually needed to run a page. This brings certain security risks as it can be used to trigger some clever XSS attacks (more below) on your store.

Even if CSP if fully enforced, eval and unsigned inline scripts are disabled, it still will be possible to inject non validated code to run on your store.

Your Magento installation will include many third party extensions and Magento also ships some csp_whitelist.xml files per default, all files include many domains. These domains will automatically be merged into the CSP header. Besides for the additional risks this greatly increases the size of the CSP header.

Installation

Installation in your Magento project is done via composer.

Post installation

This extension can run in two modes, fully disable all modules csp_whitelist.xml or check if a template file from a specific extension is used, only if a .phtml file from an installed extension is used it will include in the CSP header.

The first option is the safest, you can still include a csp_whitelist.xml file directly in your theme. After installation the second option is enabled per default.

Checking if an .phtml is used and only loading those allowlist XML files is enabled by default.

Configuration

You can configure how the extension should work per store, if you have a storeview and get some weird.

Research: XSS Risks when allowing domains

On a vanilla Magento (tested 2.4.8-p1) installation without this feature, 25 of the 46 items on the allowed domains list can be used to inject XSS.

An example as *.google.com is whitelisted in the magento/module-payment-services-paypal/etc/csp_whitelist.xml which allows at least the following possible injection.

This input is reflected on the endpoint and therefore it will trigger alert(1337), this can become anything.

More information about this, take a look at renniepak/CSPBypass and test your own domains.

Technique

The extension checks wetter a .phtml file is loaded within an extension, if this is true, the extension will be allowed to load it's whitelist.

Adding domains and hashes without use of XML

You can use ViewModel \Hyva\OptimizedCspAllowlist\ViewModel\Hosts::add(string $policyId, ['host.ext', ...]) to add domains without the use of csp_whitelist.xml.

This gives more flexibility as you can be very specific on which domains or hashes you want to allow in the frontend. This also brings the possibility to have dynamic domains on multilingual stores or using a specific CDN on a specific store.

For instance, the Google Analytics .phtml file can include registration for the domain in the same file instead of XML, making sure that only that script can be loaded on that page.

Dynamic domains

This will also bring the possible to add custom domains when using multilingual domains, no more *.host.ext but allow lang.host.ext instead.

Viewmodels for any theme

Viewmodels can be injected in layout.xml for any theme.

In your .phtml file you

Viewmodel registry when using Hyvä Themes

When using Hyvä Themes, `$viewmodel->require(...) can be used.

Notes

During research I ran into some miss configurations in default Magento extensions, for instance. google-analytics.com is whitelisted in the adwords extension. Enabling google analytics in the backend will not add the header for GA because the domain is registered in the google adwords extension. 🤷

Copyright

Hyvä Themes 2025-

Author


All versions of magento2-optimized-csp-allowlist with dependencies

PHP Build Version
Package Version
Requires php Version >=8.1
magento/framework Version *
magento/module-csp Version 100.4.*
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package hyva-themes/magento2-optimized-csp-allowlist contains the following files

Loading the files please wait ....