Using a Strict Content Security Policy Header while allowing Woo to work

  • Resolved danrancan

    (@danrancan)


    1 year, 4 months ago

    Hi, I am trying to create a strict Content Security Policy (CSP) in my Nginx configuration, and I want to be sure that any outside sources that this plugin uses are included in my policy.

    In my Nginx virtual hosts server block, I am starting off with the following strict Content Security Policy (Header):

    add_header Content-Security-Policy "default-src 'self';

    Is there anything that THIS PLUGIN uses that isn’t included in ‘self’, that would need to be included in a strict content security policy header?

    If so, could you please tell me what else I need to include in my Nginx header (specifying img-src rules, style-src rules, script-src rules, connect-src rules, and any other etc-src etc-src rules to keep a strict CSP while still allowing this plugin to be fully functional? Thanks so much for any help!

    # PLEASE DISREGARD THE BELOW INFO: IT IS ADDITIONAL RANDOM CONTENT TO PREVENT WORDPRESS FROM THINKING I AM CREATING DUPLICATE POSTS WHEN POSTING THE SAME QUESTION IN OTHER PLUGIN PAGES RELATIVE TO THAT SPECIFIC PLUGIN!

    • This topic was modified 1 year, 4 months ago by James Huff.
    • This topic was modified 1 year, 4 months ago by James Huff. Reason: wikipedia content removed
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    PLEASE DISREGARD THE BELOW INFO: IT IS ADDITIONAL RANDOM CONTENT TO PREVENT WORDPRESS FROM THINKING I AM CREATING DUPLICATE POSTS WHEN POSTING THE SAME QUESTION IN OTHER PLUGIN PAGES RELATIVE TO THAT SPECIFIC PLUGIN!

    Hi @danrancan please stop doing that.

    If you’re posting duplicate requests for multiple plugins, we don’t care as long as it’s in the correct forum.

    But, if you take a lot of content from elsewhere, especially content with lots of links, you’re going to be caught as spam every. single. time.

    HI @danrancan,

    Thanks for reaching out.

    I have escalated this with our development team. They will get back to you as soon as they can.

    Kind regards,
    Moshtafizur

    Plugin Contributor Pablo Pacheco

    (@karzin)

    Hi @danrancan ,

    I’m not familiar with Nginx setups.

    Anyway, I believe that the only outside source used by this plugin would be the alg_wc_ev_verify_email query string parameter.

    Hi,

    I hope you are well and safe.

    We haven’t received any reply regarding the issue. So we are going to mark the ticket as “Resolved”.

    But if you have any questions, then please let us know.

    Kind regards,
    Moshtafizur

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Using a Strict Content Security Policy Header while allowing Woo to work’ is closed to new replies.