Content Security Policy error Akeneo 4.x

[sr33rajv]

Hello, We have a Content security policy issue on Akeneno version 4.x.

Let me know if anyone can help with this.

Thanks

[wucherpfennig]

We are facing the same issue. Did you find a solution?

https://github.com/akeneo/pim-community-dev/issues/13534

[jotalops]

the only way I found is to modfy the class AddContentSecurityPolicyListener ( using service overwriting ) and the method public function addCspHeaders(FilterResponseEvent $event): void there you can put what you need, I need images con cloudinary and I have to put this

    $policy = sprintf(
        "default-src 'self' *.akeneo.com 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-%s'; img-src 'self' *.cloudinary.com data: ; frame-src * ; font-src 'self' data:",
        $this->generatedNonce
    );

[Fatma3011]

I didn't find solution, if you find one, share it please.

Refused to connect to 'http://akeneo.webteambut.fr/_wdt/49374e' because it violates the following Content Security Policy directive: "default-src 'self' *.akeneo.com 'unsafe-inline'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

[jotalops]

did you try what I've suggested?

[Fatma3011]

yes i did, but still the same error :(

[jotalops]

and you clear the cache with : make cache

?

[jotalops]

also you have to override the original yml service declaration with your service ( or modify directly the file in /vendor for testing only )

in my case I've override with this class: class: Roca\CommonBundle\EventListener\AddContentSecurityPolicyListener

and the declaration is like this ---- services.yml -------

security.event_listener.add_csp: class: Roca\CommonBundle\EventListener\AddContentSecurityPolicyListener arguments: - '@security.script_nonce_generator' tags: - { name: kernel.event_subscriber }

[Fatma3011]

this code already exists, I really don't know in which class I have to make changes for "Content-Security-Policy"

[Fatma3011]

how can i clear cache for dev environment akeneo

[jotalops]

make cache

[sureshtakeda]

any update on this?

[Username070]

Found this post while searching for "Akeneo adding new content security policy". Answer from @jotalops is somewhat right, but found a better solution.

AddContentSecurityPolicyListener.php is responsible for adding headers on every response event, but overriding it is not the best way to add your own policies. Instead i took a deeper look around and found this class ContentSecurityPolicyProvider.php. It basically gets every policy provider, calls theirs getContentSecurityPolicy method and merges the policies. Later on it merges the policies into one big string which is then returned to the previous AddContentSecurityPolicyListener.php class and set for the required headers.

So my way of adding my own img-src consists of making new provider and returning a string which then is merged with the original policy. By doing this the original service is kept intact.

Create a provider service which implements ContentSecurityPolicyProviderInterface interface. That class should implement method getContentSecurityPolicy and return something like this:

    public function getContentSecurityPolicy(): array
   {
       return [
           'img-src' => ['https://mydomain.com'],
       ];
   }

The service needs to be tagged with akeneo.pim.security.content_security_policy_provider. So in the end it should look like this:

    pim.my_content_security_policy_provider:
        class: '%pim.my_content_security_policy_provider.class%'
        tags:
            - { name: akeneo.pim.security.content_security_policy_provider }

Be sure to clear cache and restart the page. The provider should be automatically injected into ContentSecurityPolicyProvider.php. The ContentSecurityPolicyProvider.php builds the policy string which is later set by AddContentSecurityPolicyListener.php for required headers.