Created
June 18, 2021 14:33
-
-
Save 6ui11em/3574d75b3b2062b73b31960225a83d35 to your computer and use it in GitHub Desktop.
Magento 2: Content Security Policy XML #magento2 #content-security #whitelist #csp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!-- | |
| The HTTP Content-Security-Policy response header allow you to control what pages to load for specific | |
| user agents. | |
| This mostly involves defining rules for specific origins or script endpoints, and helps guard against | |
| cross-site scripting attacks (XSS). | |
| --> | |
| <csp_whitelist | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp:etc/csp_whitelist.xsd"> | |
| <!-- Magento expects a "policies" node, with any number of "policy" children nodes. --> | |
| <policies> | |
| <!-- The id to specify here is what sets the "key" of the Content-Security-Policy header. --> | |
| <policy id="script-src"> | |
| <values> | |
| <!-- | |
| This is the "value" to the Content-Security-Policty key:value store. | |
| The id is arbitrary but must be unique, while the type is expected to be "host". | |
| The value for this child is finally the full URL you wish to allowlist. | |
| --> | |
| <value id="jsdelivr" type="host">https://cdn.jsdelivr.net</value> | |
| </values> | |
| </policy> | |
| </policies> | |
| </csp_whitelist> | |
| <!-- | |
| The above nodes create an HTTP header that resembles: | |
| Content-Security-Policy: script-src 'self' https://cdn.jsdelivr.net; | |
| This will allow HTTP requests made to https://cdn.jsdelivr.net to succeed. | |
| --> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment