magex/content-security-policy

Allows to add CSP domains on the Admin

Maintainers

Details

github.com/magexdigital/content-security-policy

Source

Issues

Installs: 1 221

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

Type:magento2-module

1.0.0 2021-04-25 07:56 UTC

Requires

OSL-3.0 f461639fd58cf4e3b6ee1f635fd81d8a5370fbc7

  • MagEx <hello.woop@magexdigital.com>

This package is auto-updated.

Last update: 2025-07-08 09:20:44 UTC

README

magex/content-security-policy

As of version 2.3.5, Magento supports CSP headers and provides ways to configure them. (This functionality is defined in the Magento_Csp module.) Magento also provides default configurations at the application level and for individual core modules that require extra configuration. Policies can be configured for adminhtml and storefront areas separately to accommodate different use cases. Magento also permits configuring unique CSPs for specific pages.

Main Functionalities

  • This module allows Admin to add external sources to CSP header from Store configuration

Installation

* = in production please use the --keep-generated option

Type 1: Zip file

  • Unzip the zip file in app/code/MagEx
  • Enable the module by running php bin/magento module:enable MagEx_ContentSecurityPolicy
  • Apply database updates by running php bin/magento setup:upgrade*
  • Flush the cache by running php bin/magento cache:flush

Type 2: Composer

  • Make the module available in a composer repository for example:
    • public repository packagist.org
    • public github repository as vcs
  • Install the module composer by running composer require magex/content-security-policy
  • enable the module by running php bin/magento module:enable MagEx_ContentSecurityPolicy
  • apply database updates by running php bin/magento setup:upgrade*
  • Flush the cache by running php bin/magento cache:flush

Configuration

  • global Global policy.
  • default-src The default policy.
  • base-uri Defines which URLs can appear in a page’s <base> element.
  • child-src Defines the sources for workers and embedded frame contents.
  • connect-src Defines the sources that can be loaded using script interfaces.
  • font-src Defines which sources can serve fonts.
  • form-action Defines valid endpoints for submission from <form> tags.
  • frame-ancestors Defines the sources that can embed the current page.
  • frame-src Defines the sources for elements such as <frame> and <iframe>.
  • img-src Defines the sources from which images can be loaded.
  • manifest-src Defines the allowable contents of web app manifests.
  • media-src Defines the sources from which images can be loaded.
  • object-src Defines the sources for the <object>, <embed>, and <applet> elements.
  • script-src Defines the sources for JavaScript <script> elements.
  • style-src Defines the sources for stylesheets.

Specifications

  • Config reader
    • MagEx\ContentSecurityPolicy\Collector\Config\ScopeConfigPolicyReader