MC-19927: Implement hash-whitelisting, dynamic CSP

Author: Oleksandr Gorkun

app/code/Magento/Csp/Helper/InlineUtil.php

@@ -109,10 +109,11 @@ private function extractRemoteFonts(string $styleContent): array
      * Extract remote hosts utilized.
      *
      * @param string $tag
+     * @param string[] $attributes
      * @param string|null $content
      * @return string[]
      */
-    private function extractRemoteHosts(string $tag, ?string $content): array
+    private function extractRemoteHosts(string $tag, array $attributes, ?string $content): array
     {
         /** @var string[] $remotes */
         $remotes = [];
@@ -163,7 +164,7 @@ public function renderTag(string $tagName, array $attributes, ?string $content =
         }
         /** @var string $policyId */
         $policyId = self::$tagMeta[$tagName]['id'];
-        $remotes = $this->extractRemoteHosts($tagName, $content);
+        $remotes = $this->extractRemoteHosts($tagName, $attributes, $content);
         if (empty($remotes) && !$content) {
             throw new \InvalidArgumentException('Either remote URL or hashable content is required to whitelist');
         }
@@ -180,7 +181,6 @@ public function renderTag(string $tagName, array $attributes, ?string $content =
             );
         }
 
-
         return $this->render($tagName, $attributes, $content);
     }
 

app/code/Magento/Csp/Plugin/CspAwareControllerPlugin.php

@@ -38,7 +38,7 @@ public function __construct(ControllerCollector $collector)
      * @return ActionInterface|null
      * @SuppressWarnings(PHPMD.UnusedFormalParameter)
      */
-    public function afterMatch(RouterInterface $router, ?ActionInterface $matched): ?ActionInterface
+    public function afterMatch(RouterInterface $router, $matched)
     {
         if ($matched && $matched instanceof CspAwareActionInterface) {
             $this->collector->setCurrentActionInstance($matched);