For some time, Magento / Adobe Commerce has included a built-in module for handling your Content Security Policy, called Magento_Csp.
Content Security PolicyThe module allows you to control exactly what third party domains are allowed to load images, css, fonts, scripts etc on your Adobe Commerce/Magento store - both backend and frontend.
This powerful security feature is a big deal for protecting against hacks. If your site wont allow spurious third party domains to render content on your site, your users remain safe, always. Of course this also means that when you add your own third party scripts for tracking, streaming or other features, you will need to whitelist that domain in your custom csp_whitelist.xml file.
There is a problem...However since the launch of the long-delayed 3d Secure Version 2 (3DS2) standard, a new CSP problem has arisen. The original 3D Secure used a common domain for all card verification processes - namely; cardinalcommerce.com. That is no longer the case with 3DS2. Each card issuing bank is responsible for maintaining their own platform and its accessible domain. This means there are hundreds of potential domains to whitelist for 3DS2 requests - and no guarantee those domains will remain static.
Given the choice between no CSP or the risk of users being blocked from completing their purchase - it is understandable that a lot of merchants choose to turn CSP off to protect their sales.
Behind the scenes we believe there is work going on to resolve this issue either programmatically or to make gateway providers gather and maintain legitimate domains in their integrations. In the meantime however, we have developed a temporary workaround for this issue.
We have a workaround...We have built a small module called PixieMedia_Csp which will allow any iframe src on the checkout (only) when you have CSP enforce mode enabled. We're glad to share this with the community, but must highlight this is not a long-term solution and does of course pose a security risk. In all the site compromises we have seen, this module would still prevent such intrusions from hurting customers, but that's not to say the hackers couldn't change tact in the future.
It is therefore offered for use at your own risk, but we sincerely hope this will help.
Download PixieMedia_CSP moduleHappy coding!