magento2: [2.3.5][Magento_Csp] Content-Security-Policy header is too large

Preconditions (*)

  1. Magento CE/EE 2.3.5 with Sample Data (composer installation)
  2. Nginx 1.17.10 / FPM (PHP 7.3.16).
  3. Default Nginx config used (nginx.conf.sample)

Steps to reproduce (*)

  1. Navigate to URL: /women/tops-women.html

Expected result (*)

  1. Category should open without any issues

Actual result (*)

  1. Error - Nginx: 502 Bad Gateway.
  2. Nginx logs:

upstream sent too big header while reading response header from upstream.

Actually this happens to many different pages. After some investigation and comparing with 2.3.4 installation I have found that module “Magento_Csp” addding extra large header “Content-Security-Policy” or “Content-Security-Policy-Report-Only” , which broke default Nginx limits for header size (4k).

Just to compare, here is response headers added by Magento in 2.3.4 / 2.3.5 for same Women/Tops category:

  1. 2.3.4: ~ 2.9k in size (because of product cache tags)
[
  "X-Powered-By: PHP\/7.3.16",
  "Set-Cookie: mage-cache-sessid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=\/",
  "Set-Cookie: PHPSESSID=3e3b551e44eff750b888b718a1080043; expires=Mon, 04-May-2020 11:08:41 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure; HttpOnly",
  "Set-Cookie: form_key=XUgokXJjBnndASPS; expires=Mon, 04-May-2020 11:08:41 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure",
  "Pragma: cache",
  "Cache-Control: max-age=86400, public, s-maxage=86400",
  "Expires: Tue, 05 May 2020 10:08:42 GMT",
  "X-Magento-Tags: store,cms_b,cms_b_1,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1082,cat_p,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1274,cat_p_1259,cat_p_1260,cat_p_1261,cat_p_1262,cat_p_1263,cat_p_1264,cat_p_1265,cat_p_1266,cat_p_1267,cat_p_1268,cat_p_1269,cat_p_1270,cat_p_1271,cat_p_1272,cat_p_1273,cat_p_1450,cat_p_1435,cat_p_1436,cat_p_1437,cat_p_1438,cat_p_1439,cat_p_1440,cat_p_1441,cat_p_1442,cat_p_1443,cat_p_1444,cat_p_1445,cat_p_1446,cat_p_1447,cat_p_1448,cat_p_1449,cat_p_1498,cat_p_1483,cat_p_1484,cat_p_1485,cat_p_1486,cat_p_1487,cat_p_1488,cat_p_1489,cat_p_1490,cat_p_1491,cat_p_1492,cat_p_1493,cat_p_1494,cat_p_1495,cat_p_1496,cat_p_1497,cat_p_1514,cat_p_1499,cat_p_1500,cat_p_1501,cat_p_1502,cat_p_1503,cat_p_1504,cat_p_1505,cat_p_1506,cat_p_1507,cat_p_1508,cat_p_1509,cat_p_1510,cat_p_1511,cat_p_1512,cat_p_1513,cat_p_1594,cat_p_1579,cat_p_1580,cat_p_1581,cat_p_1582,cat_p_1583,cat_p_1584,cat_p_1585,cat_p_1586,cat_p_1587,cat_p_1588,cat_p_1589,cat_p_1590,cat_p_1591,cat_p_1592,cat_p_1593,cat_p_1754,cat_p_1739,cat_p_1740,cat_p_1741,cat_p_1742,cat_p_1743,cat_p_1744,cat_p_1745,cat_p_1746,cat_p_1747,cat_p_1748,cat_p_1749,cat_p_1750,cat_p_1751,cat_p_1752,cat_p_1753,cat_p_1802,cat_p_1787,cat_p_1788,cat_p_1789,cat_p_1790,cat_p_1791,cat_p_1792,cat_p_1793,cat_p_1794,cat_p_1795,cat_p_1796,cat_p_1797,cat_p_1798,cat_p_1799,cat_p_1800,cat_p_1801,cat_p_1050,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215",
  "X-Magento-Debug: 1",
  "X-Content-Type-Options: nosniff",
  "X-XSS-Protection: 1; mode=block",
  "X-Frame-Options: SAMEORIGIN"
]

2.3.5: ~ 4.9k in size (because of product cache tags + csp)

[
  "X-Powered-By: PHP\/7.3.16",
  "Set-Cookie: mage-cache-sessid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=\/",
  "Set-Cookie: PHPSESSID=ad946a72224b9800ae7fc97789e7a223; expires=Mon, 04-May-2020 09:13:21 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure; HttpOnly",
  "Set-Cookie: form_key=dh78SLda7p7MFjOR; expires=Mon, 04-May-2020 09:13:21 GMT; Max-Age=3600; path=\/; domain=magento2.local; secure",
  "Pragma: cache",
  "Cache-Control: max-age=86400, public, s-maxage=86400",
  "Expires: Tue, 05 May 2020 08:13:23 GMT",
  "X-Magento-Tags: store,cms_b,cms_b_1,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1082,cat_p,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1274,cat_p_1259,cat_p_1260,cat_p_1261,cat_p_1262,cat_p_1263,cat_p_1264,cat_p_1265,cat_p_1266,cat_p_1267,cat_p_1268,cat_p_1269,cat_p_1270,cat_p_1271,cat_p_1272,cat_p_1273,cat_p_1450,cat_p_1435,cat_p_1436,cat_p_1437,cat_p_1438,cat_p_1439,cat_p_1440,cat_p_1441,cat_p_1442,cat_p_1443,cat_p_1444,cat_p_1445,cat_p_1446,cat_p_1447,cat_p_1448,cat_p_1449,cat_p_1498,cat_p_1483,cat_p_1484,cat_p_1485,cat_p_1486,cat_p_1487,cat_p_1488,cat_p_1489,cat_p_1490,cat_p_1491,cat_p_1492,cat_p_1493,cat_p_1494,cat_p_1495,cat_p_1496,cat_p_1497,cat_p_1514,cat_p_1499,cat_p_1500,cat_p_1501,cat_p_1502,cat_p_1503,cat_p_1504,cat_p_1505,cat_p_1506,cat_p_1507,cat_p_1508,cat_p_1509,cat_p_1510,cat_p_1511,cat_p_1512,cat_p_1513,cat_p_1594,cat_p_1579,cat_p_1580,cat_p_1581,cat_p_1582,cat_p_1583,cat_p_1584,cat_p_1585,cat_p_1586,cat_p_1587,cat_p_1588,cat_p_1589,cat_p_1590,cat_p_1591,cat_p_1592,cat_p_1593,cat_p_1754,cat_p_1739,cat_p_1740,cat_p_1741,cat_p_1742,cat_p_1743,cat_p_1744,cat_p_1745,cat_p_1746,cat_p_1747,cat_p_1748,cat_p_1749,cat_p_1750,cat_p_1751,cat_p_1752,cat_p_1753,cat_p_1802,cat_p_1787,cat_p_1788,cat_p_1789,cat_p_1790,cat_p_1791,cat_p_1792,cat_p_1793,cat_p_1794,cat_p_1795,cat_p_1796,cat_p_1797,cat_p_1798,cat_p_1799,cat_p_1800,cat_p_1801,cat_p_1050,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215",
  "X-Magento-Debug: 1",
  "Content-Security-Policy-Report-Only: font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';",
  "X-Content-Type-Options: nosniff",
  "X-XSS-Protection: 1; mode=block",
  "X-Frame-Options: SAMEORIGIN"
]

As you can see, in 2.3.5, CSP adding about 2K in size to all response headers / all requests by default. Actually someone could say that it is easy fix, just to increase limits in Nginx to at least 6k, like this:

fastcgi_buffers 1024 6k;
fastcgi_buffer_size 6k;

But in this case you would need to also adjust limits in all involved proxies, like nginx ssl offloaders or others, like Kubernetes Nginx Ingress.

And it will not fix the core issue - looks like CSP module adding all merged rules as header to all requests. And potentially it could grow in size in future.

Example (same Women/Tops category page) :

  1. cardinalcommerce.com
  2. sandbox.paypal.com
  3. test.authorize.net
  4. e.t.c.

All of this is not actually required on category page. Looks like it is better to generate different rule pools per page type, rather than global pool for all…

You can read more about such limits:

  1. https://stackoverflow.com/a/8623061
  2. https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_buffer_size

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 24
  • Comments: 20 (10 by maintainers)

Most upvoted comments

You can just disable Magento_Csp entirely since in its current state it gives a false sense of security. See https://maxchadwick.xyz/blog/magento-2-3-5-csp-fools-errand + https://maxchadwick.xyz/blog/magento-disable-csp for more info.

+18
peterjaap on May 13, 2020

@medhassenkhatteche

How Can-i resolve it?? Help please!

  1. Try to avoid copy-pasting an unformatted and unfiltered text/logs from the console/anywhere. This might help people not to lose their desire to help while scrolling down such comments. Most of the text you copied is some log from a chrome extension wich is completely unrelevant.

  2. Read about CSP here: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html

+6
xpoback on May 11, 2020

Hi every one, I have a problem when i lanch my website magento 2.3.5-1 on locale with MySQL

i have in console all this The Content Security Policy ‘font-src ‘self’ ‘unsafe-inline’; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net ‘self’ ‘unsafe-inline’; frame-ancestors ‘self’ ‘unsafe-inline’; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com ‘self’ ‘unsafe-inline’; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com ‘self’ ‘unsafe-inline’; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; style-src getfirebug.com ‘self’ ‘unsafe-inline’; object-src ‘self’ ‘unsafe-inline’; media-src ‘self’ ‘unsafe-inline’; manifest-src ‘self’ ‘unsafe-inline’; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com ‘self’ ‘unsafe-inline’; child-src ‘self’ ‘unsafe-inline’; default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; base-uri ‘self’ ‘unsafe-inline’;’ was delivered in report-only mode, but does not specify a ‘report-uri’; the policy will have no effect. Please either add a ‘report-uri’ directive, or deliver the policy via the ‘Content-Security-Policy’ header. localhost/:1 [Report Only] Refused to load the stylesheet ‘https://fonts.googleapis.com/css?family=Work+Sans:400,700.less’ because it violates the following Content Security Policy directive: “style-src getfirebug.com ‘self’ ‘unsafe-inline’”. Note that ‘style-src-elem’ was not explicitly set, so ‘style-src’ is used as a fallback.

localhost/:1 [Report Only] Refused to load the script ‘https://www.google.com/recaptcha/api.js’ because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

api.js:1 [Report Only] Refused to load the script ‘https://www.gstatic.com/recaptcha/releases/-wV2EAWEOTlEtZh4vNQtn3H1/recaptcha__fr.js’ because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com ‘self’ ‘unsafe-inline’ ‘unsafe-eval’”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.

(anonymous) @ api.js:1 (anonymous) @ api.js:1 DevTools failed to load SourceMap: Could not load content for chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/include.preload.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME 6[Report Only] Refused to load the font ‘<URL>’ because it violates the following Content Security Policy directive: “font-src ‘self’ ‘unsafe-inline’”.

DevTools failed to load SourceMap: Could not load content for chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/include.postload.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME 5Refused to execute script from ‘<URL>’ because its MIME type (‘text/html’) is not executable, and strict MIME type checking is enabled. require.js:166 Uncaught Error: Script error for: js/theme http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: mage/backend/bootstrap http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: mage/adminhtml/globals http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:117 (anonymous) @ requirejs-config.js:118 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: Magento_Catalog/catalog/product http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681) makeError @ require.js:166 onScriptError @ require.js:1681 error (async) req.load @ require.js:1883 load @ require.js:1639 load @ require.js:820 fetch @ require.js:810 check @ require.js:840 enable @ require.js:1143 enable @ require.js:1511 (anonymous) @ require.js:1128 (anonymous) @ require.js:132 each @ require.js:57 enable @ require.js:1090 init @ require.js:774 (anonymous) @ require.js:1416 setTimeout (async) req.nextTick @ require.js:1755 localRequire @ require.js:1405 configure @ require.js:1343 requirejs @ require.js:1734 req.config @ require.js:1745 (anonymous) @ requirejs-config.js:333 (anonymous) @ requirejs-config.js:334 (anonymous) @ requirejs-config.js:643 require.js:166 Uncaught Error: Script error for: jquery http://requirejs.org/docs/errors.html#scripterror at makeError (require.js:166) at HTMLScriptElement.onScriptError (require.js:1681)

How Can-i resolve it?? Help please!

+5
medhassenkhatteche on May 10, 2020

2.4.5-p1 still present:

Content-Security-Policy-Report-Only: 3875 chars

+3
webloft on Nov 24, 2022

@ToonSpinISAAC: I have the feeling that the following PR might solve your issue: https://github.com/magento/magento2/pull/33468

+2
hostep on Dec 24, 2021

I think it could be related to the website server configuration. https://websiteforstudents.com/resolved-400-bad-request-request-header-or-cookie-too-large-via-nginx/

For nginx,

server {
    # ...
    large_client_header_buffers 4 16k;
    # ...
}
+2
ananth-iyer on Dec 13, 2020

Hi! Adding few notes.

In M2.4.0 with sample data installed, same Women/Tops category response headers total size increased again. And now it is bigger than 6k - you have to keep this in mind while adding any kind of workarounds. As I see, Magento team has “fixed” this by changing default nginx configuration to use 32k buffer. Hope that it is just a temporary fix.

Headers example (M2.4.0, Women/Tops category):

Array
(
  [0] => X-Powered-By: PHP/7.4.8
  [1] => Set-Cookie: PHPSESSID=e15a6af4820f9bfda2e4eef82dd667d8; expires=Mon, 17-Aug-2020 06:42:23 GMT; Max-Age=3600; path=/; domain=magento2.local; secure; HttpOnly
  [2] => Set-Cookie: form_key=GSFXrkQwrholQWbd; expires=Mon, 17-Aug-2020 06:42:24 GMT; Max-Age=3600; path=/; domain=magento2.local; secure
  [3] => Pragma: cache
  [4] => Cache-Control: max-age=86400, public, s-maxage=86400
  [5] => Expires: Tue, 18 Aug 2020 05:42:24 GMT
  [6] => X-Magento-Tags: store,cms_b,cms_b_2,cms_b_footer_links_block,cat_c_21,cat_c_p_21,cat_p_1050,cat_p,cat_p_1035,cat_p_1036,cat_p_1037,cat_p_1038,cat_p_1039,cat_p_1040,cat_p_1041,cat_p_1042,cat_p_1043,cat_p_1044,cat_p_1045,cat_p_1046,cat_p_1047,cat_p_1048,cat_p_1049,cat_p_1066,cat_p_1051,cat_p_1052,cat_p_1053,cat_p_1054,cat_p_1055,cat_p_1056,cat_p_1057,cat_p_1058,cat_p_1059,cat_p_1060,cat_p_1061,cat_p_1062,cat_p_1063,cat_p_1064,cat_p_1065,cat_p_1082,cat_p_1067,cat_p_1068,cat_p_1069,cat_p_1070,cat_p_1071,cat_p_1072,cat_p_1073,cat_p_1074,cat_p_1075,cat_p_1076,cat_p_1077,cat_p_1078,cat_p_1079,cat_p_1080,cat_p_1081,cat_p_1098,cat_p_1083,cat_p_1084,cat_p_1085,cat_p_1086,cat_p_1087,cat_p_1088,cat_p_1089,cat_p_1090,cat_p_1091,cat_p_1092,cat_p_1093,cat_p_1094,cat_p_1095,cat_p_1096,cat_p_1097,cat_p_1114,cat_p_1099,cat_p_1100,cat_p_1101,cat_p_1102,cat_p_1103,cat_p_1104,cat_p_1105,cat_p_1106,cat_p_1107,cat_p_1108,cat_p_1109,cat_p_1110,cat_p_1111,cat_p_1112,cat_p_1113,cat_p_1120,cat_p_1115,cat_p_1116,cat_p_1117,cat_p_1118,cat_p_1119,cat_p_1136,cat_p_1121,cat_p_1122,cat_p_1123,cat_p_1124,cat_p_1125,cat_p_1126,cat_p_1127,cat_p_1128,cat_p_1129,cat_p_1130,cat_p_1131,cat_p_1132,cat_p_1133,cat_p_1134,cat_p_1135,cat_p_1152,cat_p_1137,cat_p_1138,cat_p_1139,cat_p_1140,cat_p_1141,cat_p_1142,cat_p_1143,cat_p_1144,cat_p_1145,cat_p_1146,cat_p_1147,cat_p_1148,cat_p_1149,cat_p_1150,cat_p_1151,cat_p_1168,cat_p_1153,cat_p_1154,cat_p_1155,cat_p_1156,cat_p_1157,cat_p_1158,cat_p_1159,cat_p_1160,cat_p_1161,cat_p_1162,cat_p_1163,cat_p_1164,cat_p_1165,cat_p_1166,cat_p_1167,cat_p_1184,cat_p_1169,cat_p_1170,cat_p_1171,cat_p_1172,cat_p_1173,cat_p_1174,cat_p_1175,cat_p_1176,cat_p_1177,cat_p_1178,cat_p_1179,cat_p_1180,cat_p_1181,cat_p_1182,cat_p_1183,cat_p_1200,cat_p_1185,cat_p_1186,cat_p_1187,cat_p_1188,cat_p_1189,cat_p_1190,cat_p_1191,cat_p_1192,cat_p_1193,cat_p_1194,cat_p_1195,cat_p_1196,cat_p_1197,cat_p_1198,cat_p_1199,cat_p_1216,cat_p_1201,cat_p_1202,cat_p_1203,cat_p_1204,cat_p_1205,cat_p_1206,cat_p_1207,cat_p_1208,cat_p_1209,cat_p_1210,cat_p_1211,cat_p_1212,cat_p_1213,cat_p_1214,cat_p_1215
  [7] => X-Magento-Debug: 1
  [8] => Content-Security-Policy-Report-Only: font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.googletagmanager.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net *.ssl-images-amazon.com *.ssl-images-amazon.co.uk *.ssl-images-amazon.co.jp *.ssl-images-amazon.jp *.ssl-images-amazon.it *.ssl-images-amazon.fr *.ssl-images-amazon.es *.media-amazon.com *.media-amazon.co.uk *.media-amazon.co.jp *.media-amazon.jp *.media-amazon.it *.media-amazon.fr *.media-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com secure.authorize.net test.authorize.net www.googleadservices.com www.google-analytics.com www.paypalobjects.com js.braintreegateway.com www.paypal.com www.sandbox.paypal.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.youtube.com www.googletagmanager.com *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazonpay.com *.amazonpay.co.uk *.amazonpay.co.jp *.amazonpay.jp *.amazonpay.it *.amazonpay.fr *.amazonpay.es mws.amazonservices.com mws.amazonservices.co.uk mws.amazonservices.co.jp mws.amazonservices.jp mws.amazonservices.it mws.amazonservices.fr mws.amazonservices.es yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com 'self' 'unsafe-inline'; child-src http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';
  [9] => X-Content-Type-Options: nosniff
  [10] => X-XSS-Protection: 1; mode=block
  [11] => X-Frame-Options: SAMEORIGIN
)

However, as some of you have already noticed, this isn’t simply from CSP alone and the Magento cache tags are also playing a big part in the total size of the headers.

@nathanjosiah Have you though about dividing whole CSP list and retrieve only relevant domains for specific page? As I said before:

Example (same Women/Tops category page) :

cardinalcommerce.com sandbox.paypal.com test.authorize.net e.t.c.

All of this is not actually required on category page.

+1
IgorVitol on Aug 17, 2020

Hello everyone!

In regards to the size of the CSP headers, we are aware that it is a problem for some of our customers. We are investigating our options for how we can address this specific issue. However, as some of you have already noticed, this isn’t simply from CSP alone and the Magento cache tags are also playing a big part in the total size of the headers.

As for those of you that are commenting on the overall effectiveness of CSP and simply disabling the module and referencing https://maxchadwick.xyz/blog/magento-2-3-5-csp-fools-errand this is Magento’s official response:

With security of an application, we do understand that every customer has different perspective and preference on implementation and support of security features. While some researchers feel strict-dynamic approach is hard to maintain and whitelist approach is easier, some feel vice versa. As of Magento 2.3.5, Magento CSP API does supports both whitelist and strict-dynamic setting so a merchant can set up their CSP in any way they want - whitelist or dynamic. In the upcoming 2.4.0, we will be removing “unsafe-inline” from allowed resources from both “style-src” and “script-src” directives to improve anti-XSS protection and in future we will turn on enforcement mode by default and further improve our CSP offering. With these steps we hope to prevent most card skimmers from doing any harm.

CSP should be considered as another layer of protection for the webstore and not the only line of defense. We understand that CSP will not stop attackers from exploiting every vulnerability on the webstore, but it does stop browsers from executing injected malicious scripts. Magento is continuously invested in adding additional security tools such 2FA by default, anti-CSRF, anti-XSS and many other common vulnerability controls in our product. We are not solely relying on the whitelisting approach provided by CSP, but also continually evaluating robust, next-generation solutions that would provide more granular control over third party code.

We would like any feedback or suggestions on how we can make our product more secure for you.

+1
nathanjosiah on Aug 13, 2020
Read more comments on GitHub
← magento2: 2.3.2 installed and bin/magento setup:upgrade not working
magento2: [2.3.6 & 2.4.1] Submitting invalid create account form leaves the submit button disabled →