-
Posts
-
Hi
I am trying to implement the content security header in .htaccess. I have the following:
Header set Content-Security-Policy “default-src ‘self’ ‘unsafe-inline’ https: data:; style-src ‘self’ ‘unsafe-inline’ https: data:; script-src ‘self’ ‘unsafe-inline’ https: data:”But when ‘unsafe-inline’ is removed the Page Builder and Google maps stop working. Is there any way to implement a CSP without using ‘unsafe-inline’? or is this required for the theme to work?
Hey pythagoras_microsoft,
Thank you for the inquiry.
The builder and Google maps rely on inline scripts, so they will not work when inline sources are blocked. Without the CSP directive, browsers allow inline sources (scripts, styles, onclick attr etc) by default, so you can just keep it as is.
Best regards,
Ismaelsee here : https://kriesi.at/support/topic/header-security-entries/#post-1153114
it is clear that if you like to use Google maps or play youtube videos you had to allow connection and script load ( and style too ) from Google Servers.
So you can add these servers by listing them in your CSP ( see here my settings : Link )
What makes me wonder ( and that was the reason for my topic on November 2019 ) is that the backend of a fresh installed WordPress could not work without these settings ( unsafe-inline … ).Thanks for your responses
Yes it appears that unsafe-inline scripts are required for WordPress itself to work, tried a fresh install of WordPress with both the classic editor and Gutenberg and both fail to load the page builders, unfortunately our info-security team won’t allow the site to have these “unsafe-inline” elements due to the security risks.
I have managed to work around the issue by declaring a hash (sha256-XYZ) for each of the inline scripts that are required for the front end to work and repeating all of the inline styling that the theme uses in the child theme CSS file.
While this works for the front end, WordPress and the Enfold Theme builder use far too many inline scripts to declare each of them for the back end (think I counted around 90 on one page), luckily we have hosting with a staging environment so I am currently running the staging environment with the Content Security Policy commented out in the .htaccess file, so the site is usable and the backend can be accessed and all edits made to this environment, then when I deploy to live I activate the security policy so that the public facing site is secure and free of unsafe-inline scripts and styles.
I have tried to read into the use of the nonce attribute in CSP Level 2, but my modest script knowledge is not sufficient for that.
- You must be logged in to reply to this topic.