The plugin detects a violation by a certain domain and the line appears in the Current violations list. I check it out and decide that the domain in question has nothing to do with my site and was probably injected by a plugin in a visitor’s browser. So, I leave Status at Blocked.

My question is how do I distinguish between a violation that has been analyzed and left at blocked and a new violation that has not yet been analyzed?

The following warning has started to appear in the error log:

PHP Warning: in_array() expects parameter 2 to be array, null given in /mysite/wp-content/plugins/sea-sp-community-edition/src/controllers/Ajax.php on line 430, referer https://www.mysite.com/some-page/

As it was generated by an unknown visitor to the site, I cannot say what led to the warning. However, it did appear for two different pages.

Please do not forget to use the local DB prefix in the commands to drop database tables.

Also, are you automatically dropping the tables when the plugin is deactivated?

'db.seasp_csp' for query DROP TABLEseasp_csp; made by deactivate_plugins, do_action('deactivate_sea-sp-community-edition/Bluetriangle-free-csp.php'), WP_Hook->do_action, WP_Hook->apply_filters, Blue_Triangle_Automated_Free_CSP_deactivatePHP message: WordPress database error Unknown table 'db.seasp_directives' for query DROP TABLEseasp_directives; made by deactivate_plugins, do_action('deactivate_sea-sp-community-edition/Bluetriangle-free-csp.php'), WP_Hook->do_action, WP_Hook->apply_filters,

If so, that is a VERY BAD idea. Drop tables when one uninstalls, but NOT when one activates.

After doing a fresh install of ver. 1.8.0 — that is, installing it on a site that did not previously have SeaSP installed — I opened every page (about 150) of the site. I then checked the list of violations and found a huge number of redundant entries. For example, googletagmanager.com appears 73 times in the default-src directive. Similarly, mysite.com appear 72 times for that directive; twice for font-src; thrice for img-src; and so forth.

I note, too, that certain violations were simply not logged for the frame-src directive. For example, there are two videos played from vimeo.com which require explicit permission for the domain, but which do not appear in to list of violations.

It appears that something very unexpected is happening.

I am trying to understand how the plugin handles the following situation.

My site allows visitors to buy services using the Stripe payment gateway. When the customer clicks on the put to pay via Stripe, this page is opened:

https://checkout.stripe.com/pay/etc.

The following message appears in the browser console:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). gps.js:199:11

The the snipper of code from gps.js relevant to this is:

  let parent = document.head || document.body || document.documentElement;
  let firstChild = (parent.childNodes && (parent.childNodes.length > 0)) ? parent.childNodes[0] : null;
  if (firstChild) {
    parent.insertBefore(script, firstChild);
  } else {
    parent.appendChild(script);
  }

Now, the plugin is configured to only track and report CSP violations, not to enforce them. Furthermore, there is no script gps.js anywhere on my site. There is no report of a violation by the plugin.

So, does the above message only concern the checkout.stripe.com site and has nothing at all to do with my site and how I config the plugin? Does that mean that Stripe has written code to run a script that its own CSP prevents from running?

I am very confused by this situation and would be happy to get some expert advice.

I note that in the Current Violations tab, when “Include subdomains” is set, the resulting CSP header contains redundant information. For example:

default-src 'self' https: mydomain.com *.mydomain.com mysubdomain.mydomain.com;

The same redundancy occurs with any directive where “include subdomains” is set.

I can understand including mydomain.com and mysubdomain.mydomain.com, but they are redundant when you also include *.mydomain.com, no?

For some header-fields the “https:” switch is always on and cannot be disabled.
As ex. in frame-ancestors, child-src, connect-src, manifest-src, prefetch-src, script-src-elem, …

I’m also missing the possibility to set “upgrade-insecure-requests”, “report-uri” and “object-src”

Hey Guys,
Thanks for fixing the error related to google domains not displaying properly, I still have some completely blank domains showing up and the main domain is just showing up as com now ??

Thanks for the work on the plugin and I will surely leave a review but once its working effeciently, if you need help testing send me a message or somethimg

After updating the plugin to ver 1.5.0 certain elements on a page are being blocked (when the CSP is active), but no error message in displayed in the browser console explaining what directive is concerned.

The problem occurs in Firefox 86.0.1, but not in Chrome 89.0.4389.90. In particular, the page should display several background images and some header text, but it does not in Firefox. In Chrome, the page is displayed correctly. Caches are cleared in all cases.

In the Chrome console there are absolutely no messages at all. In the Firefox console, there are various messages, but the only messages relative to CSP are:

Content Security Policy: Couldn’t process unknown directive ‘script-src-elem’
Content Security Policy: Couldn’t process unknown directive ‘style-src-elem’
Content Security Policy: Couldn’t process unknown directive ‘style-src-attr’

The problem is not in the img-src directive

Before upgrading to the current version of the plugin, I did not face this problem. There are no unhandled current violations in the plugin’s list.

I am at a loss to figure out how to diagnose the problem and resolve it.

I note that the tables in the database are named without the prefix defined by the administrator. Surely it would be a good idea to follow this WP standard, no?

I note that the database table ‘seasp_site_settings’ contains a column called ‘nonce_enabled’. I don’t see where the plugin manages nonces. For what purpose does this column serve?

Hey there, thanks for the plugin it really does make life easier, but there are a few issues and features I would request.

First this issues is that the entire domain does not show up for some entries see this screenshot. They are google.co.in etc requests but they don’t show in the entirety

https://pasteboard.co/JQHvujP.png

Second is when we manually edit the CSP via text in the general settings we should be able to save it and it reflects in the entries on the violation page.

That’s all thanks ??

I have SeaSP set in Report Only and Error Correction on. I am also using WP Cerber for security and have changed the login URL.

In the Cerber logs – I see repeated occurrences of the following. These seem to be coming from genuine users who have accessed pages on our site :

/wp-admin/admin-ajax.php?nonce=xxxxxx – the nonce value is the same for every site and of course not xxxxxx

The Form Field action = Blue_Triangle_Automated_CSP_Free_Send_CSP.

The reply to these is always a 403.

SeaSP appears to be collecting CSP Violation data as this shows up ok.

Is this behaviour to be expected ??

Thanks.

• This topic was modified 3 years, 9 months ago by kjc041056.

I am just testing your plugin in Report Only mode. We have over 200 food recipe pages. I can visit each page but I assume as we are a live site, any visitor who visits a page will contribute to the Current Violations gathering. I intend to run with Error Collection On for a reasonable time (weeks).

Also, I see that you do not appear to update the .htaccess file but instead store to the WordPress DB. When the CSP is finalised, is the DB still used to load the CSP ?

Plugin looks good !

Thanks.

This is a complex process to sort through and your plugin handles this nicely.

Do you have any plan to load other policy rules to make this more comprehensive?

Strict-Transport-Security
X-Frame-Options
Referrer-Policy
X-Content-Type-Options
Permissions-Policy

Thanks again!

Installed twice.
20/20 theme, no other active plugins. clean WP install.

Console shows me these error messages:
GET https://defcon28.org/wp-content/plugins/SeaSP-Community-Edition/bootstrap/bootstrap.bundle.min.js?ver=1.0 net::ERR_ABORTED 404

admin.php?page=blue-…-general-settings:1 Refused to apply style from ‘https://defcon28.org/wp-content/plugins/SeaSP-Community-Edition/css/btt.css?ver=5.5.1’ because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.