Skip to content

Strict mode in Checkout

The Hyvä Checkout etc/config.xml file configures strict CSP for the checkout route. This disables the unsafe-eval and unsafe-inline for scripts.

Enforced strict CSP mode

Hyvä Checkout enforces strict Content Security Policies on the checkout.

etc/config.xml

The etc/config.xml allows defining the policies for specific routes. The current settings for Hyvä Checkout are

    <!-- disable inline scripts on hyva checkout -->
    <csp>
        <mode>
            <storefront_hyva_checkout_index_index>
                <report_only>0</report_only>
            </storefront_hyva_checkout_index_index>
        </mode>
        <policies>
            <storefront_hyva_checkout_index_index>
                <scripts>
                    <eval>0</eval>
                    <inline>0</inline>
                    <event_handlers>0</event_handlers>
                </scripts>
            </storefront_hyva_checkout_index_index>
        </policies>
    </csp>

Custom routes

If you use custom routes for custom checkout functionality, you should also apply the same policies there.

For example, assume your module Payment_Provider includes a route /payment/pay(/index).
The etc/frontend/routes.xml file would look as follows:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:framework:App/etc/routes.xsd">
    <router id="standard">
        <route id="payment_provider" frontName="payment">
            <module name="Payment_Provider"/>
        </route>
    </router>
</config>

To enforce PCI-DSS 4.0 compliant CSP on this custom route, the following XML needs to be added to the etc/config.xml file:

etc/config.xml 

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd"
>
    <default>
        <!-- disable inline scripts on payment pages -->
        <csp>
            <mode>
                <storefront_payment_provider_pay_index>
                    <report_only>0</report_only>
                </storefront_payment_provider_pay_index>
            </mode>
            <policies>
                <storefront_payment_provider_pay_index>
                    <scripts>
                        <eval>0</eval>
                        <inline>0</inline>
                        <event_handlers>0</event_handlers>
                    </scripts>
                </storefront_payment_provider_pay_index>
            </policies>
        </csp>
    </default>
</config>

Determining the config key for a route

For the route /payment/pay/index to the route key storefront_payment_provider_pay_index.
Each part is determined as follows:

  • storefront|admin: The Magento area where the route is available. For checkout pages, this will always be storefront.
  • payment_provider: The value of the id attribute in the route configuration (see etc/frontend/routes.xml).
  • pay: the action path (that is, the folder in the Controllers directory)
  • index the action class basename.

Report only

During development, it may be useful to switch to report-only mode. If enabled in the etc/config.xml file using <report_only>1</report_only>, the browser will log warnings to the console, but scripts will be executed.

CSP violation reporting

Magento provides facilities to configure a report URI, where browsers can send CSP violations. Please refer to the Magento Developer Documentation for more information.