# hyva-themes/magento2-optimized-csp-allowlist

> Be more precise on which CSP domains are allowed to be loaded

`composer require hyva-themes/magento2-optimized-csp-allowlist`

Canonical URL: https://packagento.com/hyva-themes/magento2-optimized-csp-allowlist

## At a glance

- **Vendor**: hyva-themes (https://packagento.com/hyva-themes.md)
- **Latest version**: 1.1.1 — released 2026-01-06
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/hyva-themes/magento2-optimized-csp-allowlist and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require hyva-themes/magento2-optimized-csp-allowlist:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

Be more precise on which CSP domains are allowed to be loaded

## README

This extension optimizes the Content Security Policy (CSP) for Magento by allowing selective loading of `csp_whitelist.xml` files, reducing security risks associated with unnecessary domain allowances and potential XSS vulnerabilities.
### Description
The CSP header `Content-Security-Policy` contains a list of allowed domains which are to both your frontend and backend of your Magento installation and no validation is done if these domains are actually needed to run a page. This brings certain security risks as it can be used to trigger some clever XSS attacks (more below) on your store.

Even if CSP if fully enforced, `eval` and unsigned `inline` scripts are disabled, it still will be possible to inject non validated code to run on your store.

Your Magento installation will include many third party extensions and Magento also ships some `csp_whitelist.xml` files per default, all files include many domains.
These domains will automatically be merged into the CSP header. Besides for the additional risks this greatly increases the size of the CSP header.
### Installation
Installation in your Magento project is done via composer.

```shell
composer require hyva-themes/magento2-optimized-csp-allowlist
bin/magento setup:upgrade
```

### Post installation
This extension can run in two modes, fully disable all modules `csp_whitelist.xml` or check if a template file from a specific extension is used,
only if a `.phtml` file from an installed extension is used it will include in the CSP header.

The first option is the safest, you can still include a `csp_whitelist.xml` file directly in your theme. After installation the second option is enabled per default.

Checking if an `.phtml` is used and only loading those allowlist XML files is enabled by default.
### Configuration
You can configure how the extension should work per store, if you have a storeview and get some weird.

- Navigate to **Stores** -> **Configuration**
- Then **Security** -> **Content Security Policy (CSP)**
  - **Fully disable module allowlists** to fully disable modules `csp_whitelist.xml`'s (default: **No**)
  - **Enable allowlist optimization** to enable or disable the setting per store (default: **Yes**)

![Configuration image](docs/configuration.png)

### Research: XSS Risks when allowing domains
On a vanilla Magento (tested 2.4.8-p1) installation without this feature, 25 of the 46 items on the allowed domains list can be used
to inject XSS.

An example as `*.google.com` is whitelisted in the `magento/module-payment-services-paypal/etc/csp_whitelist.xml` which allows at least the following possible injection.

```html
<script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
```

This input is reflected on the endpoint and therefore it will trigger `alert(1337)`, this can become anything.

More information about this, take a look at [renniepak/CSPBypass](https://github.com/renniepak/CSPBypass) and test your own domains.
### Technique
The extension checks wetter a `.phtml` file is loaded within an extension, if this is true, the extension will be allowed to load it's whitelist.
### Adding domains and hashes without use of XML
You can use ViewModel  `\Hyva\OptimizedCspAllowlist\ViewModel\Hosts::add(string $policyId, ['host.ext', ...])` to add domains without the use of `csp_whitelist.xml`.

This gives more flexibility as you can be very specific on which domains or hashes you want to allow in the frontend. This also brings the possibility to have dynamic domains on multilingual stores or using a specific CDN on a specific store.

For instance, the Google Analytics `.phtml` file can include registration for the domain in the same file instead of XML, making sure that only that script can be loaded on that page.
#### Dynamic domains
This will also bring the possible to add custom domains when using multilingual domains, no more `*.host.ext` but allow `lang.host.ext` instead.
#### Viewmodels for any theme
Viewmodels can be injected in `layout.xml` for any theme.
```xml
<!-- ... snap ... -->
<block ...>
  <arguments>
    <argument name="csp_view_model" xsi:type="object">\Hyva\OptimizedCspAllowlist\ViewModel\Hosts</argument>
  </arguments>
</block>
<!-- ... /snap ... -->
```
In your `.phtml` file you
```php
<?php
// .. snap
$cspViewModel = $block->getCspViewModel();
$cspViewModel->add('script-src', 'https://lang.host.ext')
// .. /snap
```
#### Viewmodel registry when using Hyvä Themes
When using Hyvä Themes, `$viewmodel->require(...) can be used.
```php
<?php
// .. snap
$cspViewModel = $viewModels->require(\Hyva\OptimizedCspAllowlist\ViewModel\Hosts::class);
$cspViewModel->add('script-src', 'https://lang.host.ext')
// .. /snap
```
### Notes
During research I ran into some miss configurations in default Magento extensions, for instance. `google-analytics.com` is whitelisted in the adwords extension.
Enabling google analytics in the backend will not add the header for GA because the domain is registered in the google adwords extension. 🤷
### Copyright
[Hyvä Themes](https://hyva.io/) 2025-
### Author
- [Jeroen Boersma](https://www.github.com/JeroenBoersma)

## Recent Versions

| Version | Released |
|---|---|
| 1.1.1 | 2026-01-06 |
| 1.1.0 | 2025-11-28 |
| 1.0.1 | 2025-08-11 |
| 1.0.0 | 2025-07-01 |

## Dependencies

### Require

| Package | Constraint |
|---|---|
| magento/framework | * |
| magento/module-csp | 100.4.* |
| php | >=8.1 |

### Require (dev)

| Package | Constraint |
|---|---|
| phpunit/phpunit | ^10.5 |

## Quality

Latest release (1.1.1) passes the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 33 | 33 warnings (ruleset: Magento2) — 20 auto-fixable with phpcbf |
| PHPMD | Warning | 3 | 3 rule violations (UnusedFormalParameter:2, MissingImport:1) |
| Cpd | Pass | 0 |  |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["hyva-themes/magento2-optimized-csp-allowlist"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

hyva-themes is a Magento 2 vendor on Packagento. See https://packagento.com/hyva-themes.md for their full catalogue.