Add Mage_Csp Module #4753
Add Mage_Csp Module #4753
Conversation
github-actions
bot
added
Template : admin
Hanmac
added
new feature
Template : admin
|
@Tomasz-Silpion would you like to review this? |
|
I'm interested in this feature, but looking at the implementation, is there a specific reason why a block that doesn't return anything was used, instead of setting the headers during the HTTP response dispatch phase (e.g., in an event like http_response_send_before)? |
I want to update it with different Layout updates. |
|
My doubt is why add a layout update if the feature is not at the view level? Even the module you mentioned does not work on the layout, there is a particular reason for this choice? |
Because layout updates are an easy way to switch and add values to this |
|
|
||
| $this->setXml($config->getNode()); | ||
|
|
||
| if (Mage::app()->useCache('config_api')) { |
There was a problem hiding this comment.
why cache this in config_api?
There was a problem hiding this comment.
I updated the cache type and the cache id
I think it makes sense to mark this under cache_type=config ?
There was a problem hiding this comment.
I tested the cache behavior of csp.xml but it doesn’t seem to be working as expected.
Here are the steps I followed:
- Enabled only the CONFIG cache
- Loaded the frontend and confirmed that *.cloudflare.com appears in the CSP script-src header
- Added a new host *.test.com to csp.xml under script-src
- Reloaded the frontend, and the changes were immediately reflected in the header — but it should still show only *.cloudflare.com until the CONFIG cache is refreshed
There was a problem hiding this comment.
ugh, i need to debug it, i took the Cache thing from there: #4721
|
@Hanmac can you allow to create PRs to your repo? Suggestion ... sreichel@be203c1 |
CS Fixer complained about this line |
|
Um, all checks are green ... https://github.com/sreichel/magento-lts/actions/runs/14600225861 (i have only removed a space) |
"Allow edits and access to secrets by maintainers" is enabled |
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
Co-authored-by: Fabrizio Balliano <fabrizio.balliano@gmail.com>
|
Dont want to ask for adding tests, but to review #4758. I'll add tests for Mage_Csp asap. |
|
|
@sreichel what do you think? Should I add events to the Block too? |
|
What events are you thinking about? |
Event in Block that takes the So the User can define more Header depending on other values. Edit: might need to find a good name for the Event |
Das "Danke" manchen ein Fremdwort ist ... |
Description (*)
Big Inspired by #4721, but extended with:
Related Pull Requests
Fixed Issues (if relevant)
Manual testing scenarios (*)
Questions or comments
Contribution checklist (*)