You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have been using this module since the update to Magento Version 2.4.7. It has been working without issues ever since.
When updating Hyva from 1.3.9 to 1.3.10 it bundles additional modules of the payment provider Mollie, which adds additional CSP rules. Upon installing these modules, the checkout page returned an HTTP 500 error, as happened previously when updating to 2.4.7.
Upon inspecting the header with x-debug, right before the response is sent (and the splitting has already occurred) the CSP header was larger than 8190 characters.
Apache logged the following Error-Codes, which looked familiar to me:
AH01070
AH01075
We have the CSP module enabled with a basecom_csp_split_header/settings/max_header_size value of 8190 (which is the maximum size that Apache can handle). Changing the value to 4000 resolved the issue. So I dug deeper and did further testing. I would like to share my observations with you, as the header splitting does not seem to work reliably for all cases:
A general observation I made is, that there are two semicolons ;; at the end of each header. The last header has three trailing semicolons ;;;. This seems to be another issue with the header generation, but the more relevant part seems to be this:
My theory is, that the added length from all the semicolons in each generated header is not accounted for. That is probably why the separation of the header happens too late. It tries to fit in a last entry that should already be moved to the second header. There is a check for the header size in the CspHeaderSplitter.phpin line #L103. But it seems that during the generation of the header see #L126 the semicolons are not accounted for.
This is just a theory, the problem might lie elsewhere. It seems plausible to me though.
I hope this insight was useful for you and you can work with this information!
Feel free to ask if you have any further questions.
We have been using this module since the update to Magento Version 2.4.7. It has been working without issues ever since.
When updating Hyva from 1.3.9 to 1.3.10 it bundles additional modules of the payment provider Mollie, which adds additional CSP rules. Upon installing these modules, the checkout page returned an HTTP 500 error, as happened previously when updating to 2.4.7.
Upon inspecting the header with x-debug, right before the response is sent (and the splitting has already occurred) the CSP header was larger than
8190characters.Apache logged the following Error-Codes, which looked familiar to me:
AH01070AH01075We have the CSP module enabled with a
basecom_csp_split_header/settings/max_header_sizevalue of8190(which is the maximum size that Apache can handle). Changing the value to4000resolved the issue. So I dug deeper and did further testing. I would like to share my observations with you, as the header splitting does not seem to work reliably for all cases:max_header_size;;- 71
;;;;;- 71
;;;;;- 71
;;;;;- 508
;;;;;- 1287
;;- 1965
;;- 1489
;;- 1784
;;- 508
;;;A general observation I made is, that there are two semicolons
;;at the end of each header. The last header has three trailing semicolons;;;. This seems to be another issue with the header generation, but the more relevant part seems to be this:My theory is, that the added length from all the semicolons in each generated header is not accounted for. That is probably why the separation of the header happens too late. It tries to fit in a last entry that should already be moved to the second header. There is a check for the header size in the CspHeaderSplitter.php in line #L103. But it seems that during the generation of the header see #L126 the semicolons are not accounted for.
This is just a theory, the problem might lie elsewhere. It seems plausible to me though.
I hope this insight was useful for you and you can work with this information!
Feel free to ask if you have any further questions.
Best regards & thank you in advance
The text was updated successfully, but these errors were encountered: