magento/magento2#38933: Putting csp_whitelist.xml in theme does not work and creates intermittent issue #38933

[NitrogenUA]

Description (*)

• Implemented caching of CSP whitelist per website area.

Fixed Issues (if relevant)

1. Fixes Putting csp_whitelist.xml in theme does not work and creates intermittent issue #38933

Manual testing scenarios (*)

• Put csp_whitelist.xml under your frontend theme's etc/ directory. (You can put this in Luma theme too. Just any theme will work).
• Clear Magento 2 cache.
• Open Magento 2 admin area page. Using browser DevTools take note of CSP definitions response header.
• Open Magento 2 storefront, for instance in separate browser tab. Using browser DevTools take note of CSP definitions response header.
• Verify that theme's CSP whitelist is in effect on Magento 2 storefront by comparing CSP definition headers from each request.

Expected result

Magento 2 storefront CSP whitelist is applied even if admin area was accessed first after the cache reset.

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @NitrogenUA. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[NitrogenUA]

@magento run all tests

[NitrogenUA]

@magento run all tests

[NitrogenUA]

@magento run Functional Tests B2B, Integration Tests

[NitrogenUA]

@magento run Functional Tests B2B, Integration Tests

[engcom-Hotel]

As the PR shows as draft in status, hence moving it to hold bucket.

@NitrogenUA Please let us know when the PR is ready for review.

[NitrogenUA]

@engcom-Hotel PR is ready for review.

[engcom-Hotel]

@magento run all tests

[engcom-Hotel]

Hello @NitrogenUA,

Please add some automated test in accordance to the DOD.

Thanks

[engcom-Dash]

@magento run all tests

[engcom-Hotel]

@magento run all tests

[engcom-Dash]

@magento run all tests

[engcom-Dash]

HI @NitrogenUA

Thanks for the collaboration & contribution!

✔️ QA Passed

Preconditions:

1. Install fresh Magento 2.4-develop

Steps to reproduce

1. Put csp_whitelist.xml under your frontend theme's etc/ directory.
2. Clear Magento 2 cache.
3. Open Magento 2 admin area page.
4. Open Magento 2 storefront. Using browser DevTools take note of CSP definitions response header.
5. Verify that theme's CSP whitelist is in effect on Magento 2 storefront

Before: ❌

PR-39672-before_1.mp4

After ✔️

PR-39672-After_1.mp4

Builds are failed hence moving this PR for Extended Testing.

Thanks!

[engcom-Dash]

@magento run Functional Tests B2B, Functional Tests CE

[engcom-Dash]

Test failures for Functional B2B are inconsistent and seems to be flaky. They neither part of PR nor failing because of the PR changes.

Build 1: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39672/630f1e8bfc5ea654dcf76a2a1c6f2db8/Functional/allure-report-b2b/index.html#categories/bdbf199525818fae7a8651db9eafe741

Build 2: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39672/a6e3b697ff7d78b35e3bf03e6027e6c0/Functional/allure-report-b2b/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

Test failures for Functional CE are inconsistent and seems to be flaky. They neither part of PR nor failing because of the PR changes.

Build 1: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39672/c114bc4a7a680086651bab6637315301/Functional/allure-report-ce/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

Build 2: https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/magento2/pull/39672/0267a0e951359763def1f920e1bf3509/Functional/allure-report-ce/index.html#categories/8fb3a91ba5aaf9de24cc8a92edc82b5d

Hence moving this PR in Merge In Progress.