Support M2 2.4.7

[stevenbrookes]

Hi

I see you now support PHP 8.3 which is great. I've upgraded our site to the latest M2 2.4.7 and now get this error in the browser console when I try to open the checkout.

Refused to execute inline script because it violates the following Content Security Policy directive on checkout page

Either the 'unsafe-inline' keyword, a hash ('sha256-aGdEGNntkwDDS/kwkeBvz2jvwf80p/Gtwq2qyspyyGA='), or a nonce ('nonce-...') is required to enable inline execution.

Looks to be created by below. Removing this from composer.json fixed this error

    <script type="text/javascript">
        window.dataLayer = window.dataLayer || [];
    </script>

Looks like it would be best to load the JS from a file rather than inline it as that provides better security for the site.

Disabling the module fixes the error so I'm pretty sure it's coming from this module.

[wssweb]

nonce support is now actually very much needed even on version 2.4.x due to Adobe back porting the CSP changes in 2.4.7 to resolve CVE-2024-34102. This is a 9.8 CVE which makes this patch immediately required for all practical purposes.

See Security Bulletin APSB24-40: https://helpx.adobe.com/security/products/magento/apsb24-40.html

The use of 'unsafe-inline' is not an effective solution as this will not be allowed after April 2025 to pass PCI compliance. Furthermore its not allowed with the patch/2.4.7 as CSP operates in strict mode so it would be ignored.

Google recommends the use of nonce: https://developers.google.com/tag-platform/security/guides/csp

Please add nonce support ASAP~