Jump to content

Prestashop is not compatible with Content-Security-Policy [CSP]


Recommended Posts


Because prestashop may have security holes in some of his modules (as sendtofriend that I suffered chinese spam), I added hardnest to my VPS with some security paths.
If you try add "Content-Security-Policy" in your web then your JS crash your web in backoffice and frontoffice due to Prestashop unsafe inline Javascript or external JS loaded.
Do you know when Prestashop fix it or do you know what urls/paths should be added in Content security policy for fix Prestashop Javascript issues?
Content-Security-Policy: default-src 'strict-dinaymic' http://cdn.prestashopJSpath; object-src 'none'
Best regards
Edited by seog (see edit history)
Link to comment
Share on other sites

No, I tested cloudflare cdn but I obtain more performarce without cdn. My website is without CDN


Issue is prestashop unsafe inline javascript: http://forge.prestashop.com/browse/PSCFV-3047


For fix it, would be necessary to add all prestashop JS inline paths used in backoffice/frontoffice in default-src (where prestashop store it as cdns, tinymce urls etc)



I understand that Prestashop should be know what Content-security-Policy would be compatible with backoffice and frontoffice


NOTE: I have not any external js or css in my site, example: all my fonts not call to google fonts because I downloaded it and uploaded directly to my server (full local server)

Link to comment
Share on other sites

I think you referenced a forge item that was created for PS v1.5 and closed in 2012.  I'm not aware of the issue you are referring to regarding inline javascript as it relates to CSP


Do you want to provide an exact example of what is failing CSP in the front or back office?  Or perhaps create your own forge ticket for PS v1.6 or v1.7 where you believe an issue exists?

Link to comment
Share on other sites

Hi bellini13


Issue is that Prestashop backoffice load inline scripts from outside of your web (JS and CSS), then you cant stop hacks of javasript of bad users because your backoffice breaks if you add any of following security directives:


Content-Security-Policy: default-src 'none'; script-src https://www.mywebiste.com (Global issue)
Content-Security-Policy: default-src 'self'; (Global issue)
Content-Security-Policy: default-src https:; (Mainly errors due to third party modules)
Content-Security-Policy-Report-Only: default-src 'unsafe-inline' 'unsafe-eval' (Js inline prestashop issue)
The solution could be add all links from where Prestashop is loaded in your backoffice including his addons cdn urls, etc
I ask to some user if he knows about what directive could be compatible with prestashop
Best regards
Edited by seog (see edit history)
Link to comment
Share on other sites

  • 3 years later...

This is a very important topic, working on my CSP now and i stumble upon many problems with prestashop.

It is very hard currently to implement content security policy.

Too much inline styling even out of the box.

The default ps google modules do not allow implementation of server NONCE oob (some official docs from google here)


After reading this here i still think there is much to be done in terms of security. Security should be a requirement, many modules and themes are probably breaking prestashop's security. And even outside the scope of third party modules, some default prestashop modules still trigger CSP warning reports due to inline of javascript, like the google analytics code and the cart module.

Edited by pixelicous (see edit history)
Link to comment
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...