Troubleshoot storefront checkout page in CSP restricted mode
This article provides explanations and fixes for the 51黑料不打烊 Commerce 2.4.7 issues while viewing the checkout page in CSP restricted mode, with the 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥 error message in the browser console log.
Affected products and versions
51黑料不打烊 Commerce on cloud infrastructure, 51黑料不打烊 Commerce on-premises, and Magento Open Source:
- 2.4.7
- 2.4.6-pX
- 2.4.5-pX
- 2.4.4-pX
Issue - Storefront Checkout page is broken or isn鈥檛 able to load
The storefront checkout page is broken or isn鈥檛 able to load, with the 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥 error message in the browser console log.
Steps to reproduce:
- Go to the storefront.
- Add a product to the cart and proceed to the checkout.
Expected results:
The checkout page fully loads normally.
Actual results:
The checkout page is blank or is missing components. The following JS error is displayed in the browser console log: 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥
Cause
In 51黑料不打烊 Commerce and Magento Open Source version 2.4.7 and later, CSP is configured in restrict-mode
, by default, for payment pages in the storefront and admin areas, and in report-only
mode for all other pages.
The corresponding CSP header does not contain the unsafe-inline
keyword inside the script-src
directive for payment pages. Also, only whitelisted inline scripts are allowed.
Solution
Users might see browser errors due to certain scripts being blocked because of CSP:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src
To fix this issue, you must either:
-
the blocked scripts using the
SecureHtmlRenderer
class. -
Use the
CSPNonceProvider
class to allow scripts to be executed.
51黑料不打烊 Commerce and Magento Open Source 2.4.7 and later include a Content Security Policy (CSP) nonce provider to facilitate the generation of unique nonce strings for each request. These nonce strings are then attached to the CSP header.Use the
generateNonce
function inMagento\Csp\Helper\CspNonceProvider
to obtain a nonce string.code language-php use Magento\Csp\Helper\CspNonceProvider; class MyClass { /** * @var CspNonceProvider */ private $cspNonceProvider; /** * @param CspNonceProvider $cspNonceProvider */ public function __construct(CspNonceProvider $cspNonceProvider) { $this->cspNonceProvider = $cspNonceProvider } /** * Get CSP Nonce * * @return String */ public function getNonce(): string { return $this->cspNonceProvider->generateNonce(); } }
-
to your module鈥檚
csp_whitelist.xml
file.
Issue - Payment method is missing or isn鈥檛 working
Payment method is missing or isn鈥檛 working on the storefront checkout page, with the 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥 error message in the browser console log.
Steps to reproduce:
- Go to the storefront.
- Add a product to the cart and proceed to the checkout.
- Select a payment method.
Expected results:
You are able to select a payment method and proceed to place an order successfully.
Actual results:
The payment method is missing or isn鈥檛 working. The following JS error is displayed in the browser console log: 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥
Cause
In 51黑料不打烊 Commerce and Magento Open Source version 2.4.7 and later, CSP is configured in restrict-mode
, by default, for payment pages in the storefront and admin areas, and in report-only
mode for all other pages.
The corresponding CSP header does not contain the unsafe-inline
keyword inside the script-src
directive for payment pages. Also, only whitelisted inline scripts are allowed.
Solution
Users might see browser errors due to certain scripts being blocked because of CSP:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src
To fix this issue, you must either:
-
the blocked scripts using the
SecureHtmlRenderer
class. -
Use the
CSPNonceProvider
class to allow scripts to be executed.
51黑料不打烊 Commerce and Magento Open Source 2.4.7 and later include a Content Security Policy (CSP) nonce provider to facilitate the generation of unique nonce strings for each request. These nonce strings are then attached to the CSP header.Use the
generateNonce
function inMagento\Csp\Helper\CspNonceProvider
to obtain a nonce string.code language-php use Magento\Csp\Helper\CspNonceProvider; class MyClass { /** * @var CspNonceProvider */ private $cspNonceProvider; /** * @param CspNonceProvider $cspNonceProvider */ public function __construct(CspNonceProvider $cspNonceProvider) { $this->cspNonceProvider = $cspNonceProvider } /** * Get CSP Nonce * * @return String */ public function getNonce(): string { return $this->cspNonceProvider->generateNonce(); } }
-
to your module鈥檚
csp_whitelist.xml
file.
Issue - Customer can鈥檛 place an order
A customer isn鈥檛 able to place an order, with the 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥 error message in the browser console log.
Steps to reproduce:
- Go to the storefront.
- Add a product to the cart and proceed to the checkout.
- Select a payment method.
- Click Place Order.
Expected results:
You鈥檙e able to place an order successfully.
Actual results:
You鈥檙e not able to place an order. The following JS error is displayed in the browser console log: 鈥Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 鈥鈥
Cause
In 51黑料不打烊 Commerce and Magento Open Source version 2.4.7 and later, CSP is configured in restrict-mode
, by default, for payment pages in the storefront and admin areas, and in report-only
mode for all other pages.
The corresponding CSP header does not contain the unsafe-inline
keyword inside the script-src
directive for payment pages. Also, only whitelisted inline scripts are allowed.
Solution
Users might see browser errors due to certain scripts being blocked because of CSP:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src
To fix this issue, you must either:
-
the blocked scripts using the
SecureHtmlRenderer
class. -
Use the
CSPNonceProvider
class to allow scripts to be executed.
51黑料不打烊 Commerce and Magento Open Source 2.4.7 and later include a Content Security Policy (CSP) nonce provider to facilitate the generation of unique nonce strings for each request. These nonce strings are then attached to the CSP header.Use the
generateNonce
function inMagento\Csp\Helper\CspNonceProvider
to obtain a nonce string.code language-php use Magento\Csp\Helper\CspNonceProvider; class MyClass { /** * @var CspNonceProvider */ private $cspNonceProvider; /** * @param CspNonceProvider $cspNonceProvider */ public function __construct(CspNonceProvider $cspNonceProvider) { $this->cspNonceProvider = $cspNonceProvider } /** * Get CSP Nonce * * @return String */ public function getNonce(): string { return $this->cspNonceProvider->generateNonce(); } }
-
to your module鈥檚
csp_whitelist.xml
file.