Download the PHP package yireo/magento2-csp-whitelist-inline-js without Composer

On this page you can find all versions of the php package yireo/magento2-csp-whitelist-inline-js. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package magento2-csp-whitelist-inline-js

Yireo CspWhitelistInlineJs

When, in Magento 2, the CSP policy to disallow inline scripts is enabled, any script requires either a hash or a nonce (or something similar). This module scans any PHTML template for scripts on the fly and adds a nonce where needed, depending on your configuration.

Installation

Configuration

Mode: Custom whitelisting

A block can be whitelisted automatically by this module, using one of the following techniques:

1. Custom whitelisting by XML layout

You can whitelist a specific block via the XML layout, by adding an argument csp_whitelist:

Note that there is still a security issue here, because the layout could be updated via the database as well (which could be hijacked via SQL injection).

2. Via DI plugin

You could also create a DI plugin afterAllow on \Yireo\CspWhitelistInlineJs\Util\AllowBlock::allow(Template $block).

Mode: Whitelist everything

With this mode, any inline script is simply allowed. It defeats the purpose of CSP, in general, but gets the job done. Do make sure to log things, so that you can use a different mode after a while. If you keep using this mode in production, you don't get it.

Mode: Whitelist everything

Important note on whitelisting everything & security

Note that automatically fixing inline scripts with this module does not take away the security risk that was meant to be fixed with CSP. The best solution is to apply this module to make sure CSP is not causing harm in production. And next, go through all of the inline scripts that don't have CSP-support yet and add CSP-support to it. And then remove this module again.

What about CMS content?

Whenever content is added to the HTML output of Magento, security checks would need to be in place. For instance, the content of CMS pages or CMS blocks might be compromised by hackers and with that, XSS attacks might be initiated by adding inline scripts to that content. By default, this module does not do anything specific for that CMS content. However, in a default situation, CMS pages and CMS blocks are not being outputted via templates and therefore an inline script in CMS content is not nonced by this module (which is a good thing). While the default is safe, any modification (custom theming, 3rd party modules, etc) could lead into compromised CMS content being outputted with nonced scripts anyway.

Logging

This module also allows logging of these inline scripts. Just enable logging via Yireo > Yireo CspWhitelistInlineJs > Settings > Logging (csp_whitelist_inline_js/settings/logging). Next, monitor the logfile var/log/yireo-csp-whitelist-inline-js.log. The log contains a listing of all block templates that have been picked up upon by this module.

The recommendation is to go through this file and make sure that each template is whitelisted by the extension or theme that is offering that template, so that - one day in the future - you are able to remove this Yireo_CspWhitelistInlineJs module.

Note that this file is regenerated at the end of every request by combining all existing lines with new lines.

Compatibility

All versions of magento2-csp-whitelist-inline-js with dependencies

PHP Build Version
Package Version
Requires magento/framework Version ^102.0 || ^103.0
yireo/magento2-csp-utilities Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package yireo/magento2-csp-whitelist-inline-js contains the following files

Loading the files please wait ....