AC-10685: [PCI] CSP enforced on payment pages

tranthienbinh1989 · tranthienbinh1989 · commit 15996a7c4c7c · 2024-03-11T12:19:31.000-05:00
diff --git a/app/code/Magento/Checkout/etc/csp_whitelist.xml b/app/code/Magento/Checkout/etc/csp_whitelist.xml
diff --git a/app/code/Magento/Paypal/Block/PayLater/Banner.php b/app/code/Magento/Paypal/Block/PayLater/Banner.php
@@ -97,7 +97,8 @@ public function getJsLayout()
         $config['displayAmount'] = !$displayAmount || $this->payLaterConfig->isPPBillingAgreementEnabled()
             ? false : true;
         $config['dataAttributes'] = [
-            'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode()
+            'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode(),
+            'data-csp-nonce' => $this->paypalConfig->getCspNonce(),
         ];
 
         //Extend block component attributes with defaults
diff --git a/app/code/Magento/Paypal/Block/PayLater/LayoutProcessor.php b/app/code/Magento/Paypal/Block/PayLater/LayoutProcessor.php
@@ -88,7 +88,8 @@ public function process($jsLayout)
             $config['displayAmount'] = !$displayAmount || $this->payLaterConfig->isPPBillingAgreementEnabled()
                 ? false : true;
             $config['dataAttributes'] = [
-                'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode()
+                'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode(),
+                'data-csp-nonce' => $this->paypalConfig->getCspNonce(),
             ];
 
             $attributes = $this->payLaterConfig->getSectionConfig(
diff --git a/app/code/Magento/Paypal/Model/Config.php b/app/code/Magento/Paypal/Model/Config.php
@@ -6,6 +6,8 @@
 
 namespace Magento\Paypal\Model;
 
+use Magento\Csp\Helper\CspNonceProvider;
+use Magento\Framework\App\ObjectManager;
 use Magento\Payment\Helper\Formatter;
 
 /**
@@ -599,21 +601,28 @@ class Config extends AbstractConfig
      */
     protected $_certFactory;
 
+    /**
+     * @var CspNonceProvider
+     */
+    protected $cspNonceProvider;
+
     /**
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param \Magento\Directory\Helper\Data $directoryHelper
      * @param \Magento\Store\Model\StoreManagerInterface $storeManager
      * @param \Magento\Payment\Model\Source\CctypeFactory $cctypeFactory
      * @param CertFactory $certFactory
      * @param array $params
+     * @param CspNonceProvider|null $cspNonceProvider
      */
     public function __construct(
         \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
         \Magento\Directory\Helper\Data $directoryHelper,
         \Magento\Store\Model\StoreManagerInterface $storeManager,
         \Magento\Payment\Model\Source\CctypeFactory $cctypeFactory,
         \Magento\Paypal\Model\CertFactory $certFactory,
-        $params = []
+        $params = [],
+        CspNonceProvider $cspNonceProvider = null
     ) {
         parent::__construct($scopeConfig);
         $this->directoryHelper = $directoryHelper;
@@ -628,6 +637,8 @@ public function __construct(
                 $this->setStoreId($storeId);
             }
         }
+
+        $this->cspNonceProvider = $cspNonceProvider ?: ObjectManager::getInstance()->get(CspNonceProvider::class);
     }
 
     /**
@@ -1845,4 +1856,15 @@ public function getPayLaterConfigValue($fieldName)
             $this->_storeId
         );
     }
+
+    /**
+     * Get a cps nonce for the current request
+     *
+     * @return string
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function getCspNonce(): string
+    {
+        return $this->cspNonceProvider->generateNonce();
+    }
 }
diff --git a/app/code/Magento/Paypal/Model/SmartButtonConfig.php b/app/code/Magento/Paypal/Model/SmartButtonConfig.php
@@ -11,7 +11,6 @@
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\Framework\Locale\ResolverInterface;
 use Magento\Store\Model\ScopeInterface;
-use Magento\Store\Model\StoreManagerInterface;
 use Magento\Paypal\Model\Config as PaypalConfig;
 
 /**
@@ -92,7 +91,8 @@ public function getConfig(string $page): array
             'isGuestCheckoutAllowed'  => $isGuestCheckoutAllowed,
             'sdkUrl' => $this->sdkUrl->getUrl(),
             'dataAttributes' => [
-                'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode()
+                'data-partner-attribution-id' => $this->paypalConfig->getBuildNotationCode(),
+                'data-csp-nonce' => $this->paypalConfig->getCspNonce(),
             ]
         ];
     }
