Tagged: ,

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #749397

    Hi,

    I have a website with HTTPS build using Enfold, and the styles are not loading in Safari.

    It give me this error: Refused to apply a stylesheet because its hash, its nonce, or ‘unsafe-inline’ appears in neither the style-src directive nor the default src directive of the Content Secutiry Policy.

    Theme: Enfold
    Version: 3.7
    Installed: enfold
    AviaFramework Version: 4.5.3
    AviaBuilder Version: 0.9
    – – – – – – – – – – –
    ChildTheme: Enfold Child
    ChildTheme Version: 1.0
    ChildTheme Installed: enfold

    ML:128-PU:86-PLA:5
    WP:4.6.3

    Is there a way to solve this? On other browsers works like a charm.

    Thanks

    #749757

    Hey incuca,

    Could you try updating your theme to the latest version (3.8.5) to see if that helps please? http://kriesi.at/documentation/enfold/updating-your-theme-files/

    Best regards,
    Rikard

    #750175

    Hi Rikard,

    we’ve updated the theme to 3.8.5, but still the problem persists.

    :(

    #750177

    Hey!

    Can you please install a plugin that can clear your transients and do let us know if that will solve your issue?
    Thank you very much

    Cheers!
    Basilis

    #750469

    Hey guys, thanks for the tips.

    I installed a “Transient Cleaner” plugin and clear all the transients, but it is still breaking on Safari cause of the stylesheets not loading ” ‘unsafe-inline’ appears neither the style-src” etc etc.

    Any other ideas?

    #752761

    Hi,

    Could you please provide a screenshot of the error or the stylesheet with the “unsafe-inline” value? I can’t reproduce it on my safari.

    Best regards,
    Ismael

    #850710

    Sorry for bumping this old thread, but was this ever resolved (it looks unresolved)?

    I’m guessing it wasn’t or ‘unsafe-inline’ was added to the CSP.
    Not allowing ‘unsafe-inline’ in Content-Security-Policy (CSP) is recommended, however it breaks Enfold (and others) since a lot of functionality is added as inline script (not external files).

    For others searching your options are pretty much limited to adding ‘unsafe-inline’ or adding hundreds of allowed hashes (which will be a pain to keep updated).
    There’s some pretty good information on your options: https://scotthelme.co.uk/content-security-policy-an-introduction/

    #851344

    Hi,

    The user didn’t reply so we’re not sure if it’s resolved or not. Are you experiencing the same issue? Please provide a link to the site and a screenshot.

    Best regards,
    Ismael

    #851567

    Hey guys, just to give you some light, the problem was resolved on the server side (Apache). It is in portuguese, but you can translate with Google :)

    Com relação ao problema detectado no navegador Internet Explorer:
    Problema apresentado: Fontes e alguns ícones não eram carregados, ou carregados de maneira incorreta.
    Solução: Ajuste nas configurações relacionadas ao Header HTTP Header no Virtual Host HTTPS no Apache HTTPD. O trecho que estava causando problema:
    Header Set Cache-Control “no-cache, no-store, must-revalidate, private”
    Header Set Pragma “no-cache”
    Substituído por:
    Header Set Cache-Control “no-cache, must-revalidate, private”
    A primeira diretiva foi reajustada e a segunda diretiva foi removida pois estava causando problema. “Pragma” tem apenas a função de manter compatibilidade com clientes HTTP 1.0, ou seja, sem necessidade para os browsers atuais. Segundo a RFC 2616, ambos podem coexistir, mas por algum motivo que não identifiquei está causando esta “quebra” no IE 10, 11.

    Com relação ao problema detectado no navegador Safari:
    Problema apresentado: Página totalmente desformatada devido a bloqueio no carregamento de diversos elementos que compõem a interface. Bloqueios estes causados por diretivas CSP definidas no header através do cabeçalho:
    Header set X-WebKit-CSP: “default-src ‘self'”
    A solução de contorno foi remover essa configuração do Virtual Host do Apache HTTPD. Iremos reavaliar a documentação do CSP para ajustar as diretivas de modo a permitir o carregamento dos elementos necessários. Por enquanto, iremos deixar desta forma.

    #851575

    Well that has very little to do with the underlying issue, even though it quite possible was a workaround for you.

    The issue is that the CSP guides “strongly recommends” against using inline script and styling (evals too). I’m not too familiar with Avia framework and the inner workings of Enfold, but my guess is this is how it works (and will continue to work) by design.

    In short (but not completely accurate): Some browsers (currently) enforce CSP versions differently from others. Your solution/workaround was to remove this safeguard completely.

    A solução de contorno foi remover essa configuração do Virtual Host do Apache HTTPD. Iremos reavaliar a documentação do CSP para ajustar as diretivas de modo a permitir o carregamento dos elementos necessários. Por enquanto, iremos deixar desta forma.

    My previous answer basically says that if you want to use enfold you have to lower your security enforcement/policy. CSP is a great safeguard against XSS and such exploits and by using ‘unsafe-inline’ config directive (or not using CSP at all) you expose yourself to this risk. Note that I’m not saying specifically that this makes Enfold theme unsafe to use. You just need to be aware that you cannot use this mitigation technique (which is quite common for important sites).

    Edit:
    To further clarify this is more of a WP issue than it is an Enfold issue. As a security minded admin it was a pain and I’ll keep updating/posting on the relevance of the initial error ‘unsafe-inline’ CSP directive.

    #851865

    Hi riwern,

    Thanks a lot for sharing, much appreciated!

    Best regards,
    Rikard

    #852143

    hi , i’m not sure but .. I think to have the same problem
    using enternet explorer mobile vercion , my web site works bad, could you please contoll and tell me a solution ?
    thank you

    site http://www.hotescortlivorno.com/escort-livorno/

    • This reply was modified 7 years, 3 months ago by Marco.
    #852451

    Hi,


    @incuca
    & @riwern: Thanks you for the info.


    @Sachasilvestri
    : According to the OP, it’s an issue with the server configuration. Please contact your hosting provider or follow @incuca’s suggestion above.

    Best regards,
    Ismael

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.