-
Posts
-
Hi,
I have a website with HTTPS build using Enfold, and the styles are not loading in Safari.
It give me this error: Refused to apply a stylesheet because its hash, its nonce, or ‘unsafe-inline’ appears in neither the style-src directive nor the default src directive of the Content Secutiry Policy.
Theme: Enfold
Version: 3.7
Installed: enfold
AviaFramework Version: 4.5.3
AviaBuilder Version: 0.9
– – – – – – – – – – –
ChildTheme: Enfold Child
ChildTheme Version: 1.0
ChildTheme Installed: enfoldML:128-PU:86-PLA:5
WP:4.6.3Is there a way to solve this? On other browsers works like a charm.
Thanks
Hey incuca,
Could you try updating your theme to the latest version (3.8.5) to see if that helps please? http://kriesi.at/documentation/enfold/updating-your-theme-files/
Best regards,
RikardHey!
Can you please install a plugin that can clear your transients and do let us know if that will solve your issue?
Thank you very muchCheers!
BasilisHey guys, thanks for the tips.
I installed a “Transient Cleaner” plugin and clear all the transients, but it is still breaking on Safari cause of the stylesheets not loading ” ‘unsafe-inline’ appears neither the style-src” etc etc.
Any other ideas?
Hi,
Could you please provide a screenshot of the error or the stylesheet with the “unsafe-inline” value? I can’t reproduce it on my safari.
Best regards,
IsmaelSorry for bumping this old thread, but was this ever resolved (it looks unresolved)?
I’m guessing it wasn’t or ‘unsafe-inline’ was added to the CSP.
Not allowing ‘unsafe-inline’ in Content-Security-Policy (CSP) is recommended, however it breaks Enfold (and others) since a lot of functionality is added as inline script (not external files).For others searching your options are pretty much limited to adding ‘unsafe-inline’ or adding hundreds of allowed hashes (which will be a pain to keep updated).
There’s some pretty good information on your options: https://scotthelme.co.uk/content-security-policy-an-introduction/Hi,
The user didn’t reply so we’re not sure if it’s resolved or not. Are you experiencing the same issue? Please provide a link to the site and a screenshot.
Best regards,
IsmaelHey guys, just to give you some light, the problem was resolved on the server side (Apache). It is in portuguese, but you can translate with Google :)
Com relação ao problema detectado no navegador Internet Explorer:
Problema apresentado: Fontes e alguns ícones não eram carregados, ou carregados de maneira incorreta.
Solução: Ajuste nas configurações relacionadas ao Header HTTP Header no Virtual Host HTTPS no Apache HTTPD. O trecho que estava causando problema:
Header Set Cache-Control “no-cache, no-store, must-revalidate, private”
Header Set Pragma “no-cache”
Substituído por:
Header Set Cache-Control “no-cache, must-revalidate, private”
A primeira diretiva foi reajustada e a segunda diretiva foi removida pois estava causando problema. “Pragma” tem apenas a função de manter compatibilidade com clientes HTTP 1.0, ou seja, sem necessidade para os browsers atuais. Segundo a RFC 2616, ambos podem coexistir, mas por algum motivo que não identifiquei está causando esta “quebra” no IE 10, 11.Com relação ao problema detectado no navegador Safari:
Problema apresentado: Página totalmente desformatada devido a bloqueio no carregamento de diversos elementos que compõem a interface. Bloqueios estes causados por diretivas CSP definidas no header através do cabeçalho:
Header set X-WebKit-CSP: “default-src ‘self'”
A solução de contorno foi remover essa configuração do Virtual Host do Apache HTTPD. Iremos reavaliar a documentação do CSP para ajustar as diretivas de modo a permitir o carregamento dos elementos necessários. Por enquanto, iremos deixar desta forma.Well that has very little to do with the underlying issue, even though it quite possible was a workaround for you.
The issue is that the CSP guides “strongly recommends” against using inline script and styling (evals too). I’m not too familiar with Avia framework and the inner workings of Enfold, but my guess is this is how it works (and will continue to work) by design.
In short (but not completely accurate): Some browsers (currently) enforce CSP versions differently from others. Your solution/workaround was to remove this safeguard completely.
A solução de contorno foi remover essa configuração do Virtual Host do Apache HTTPD. Iremos reavaliar a documentação do CSP para ajustar as diretivas de modo a permitir o carregamento dos elementos necessários. Por enquanto, iremos deixar desta forma.
My previous answer basically says that if you want to use enfold you have to lower your security enforcement/policy. CSP is a great safeguard against XSS and such exploits and by using ‘unsafe-inline’ config directive (or not using CSP at all) you expose yourself to this risk. Note that I’m not saying specifically that this makes Enfold theme unsafe to use. You just need to be aware that you cannot use this mitigation technique (which is quite common for important sites).
Edit:
To further clarify this is more of a WP issue than it is an Enfold issue. As a security minded admin it was a pain and I’ll keep updating/posting on the relevance of the initial error ‘unsafe-inline’ CSP directive.hi , i’m not sure but .. I think to have the same problem
using enternet explorer mobile vercion , my web site works bad, could you please contoll and tell me a solution ?
thank youHi,
@incuca & @riwern: Thanks you for the info.
@Sachasilvestri: According to the OP, it’s an issue with the server configuration. Please contact your hosting provider or follow @incuca’s suggestion above.Best regards,
Ismael
- You must be logged in to reply to this topic.