Hi, I can′t get this right. Probably something easy to fix but don′t get it to work with a script-src. Its a LinkedIn feed from Socialblekit.com that doesn’t show on site. Do you whats the problem could be?

https://lion.box.com/s/q7ao4yh7iptc97gsc187joe2kgmb2b64

Best regards
Mattias

I use some specific directives for CSP, like the “report-to” which allows to send the log to endpoints. Is there any way to specificy the report-to? It should apply to CSP, COEP, and COOP.

Thanks for guiding me.

Edit: I noticed that hash, strict-dynamic, nonce, report-sample directives are also missing. I edited the title.

I am using wordpress 6.2.2 with gutenberg editor. I introduced CSP in .htaccess file and from then when I click on “Add New” in “Page” tab it is generating errors with white blank screen. The CSP and Error are below…

CSP :

Content-Security-Policy “default-src ‘self’ https: ‘unsafe-inline’; object-src ‘none’; img-src ‘self’ https: data: blob: *.gravatar.com; style-src ‘self’ ‘unsafe-inline’; worker-src ‘self’ blob:; font-src ‘self’ https: data: blob:; child-src ‘self’ https: data: blob:; frame-src ‘self’ https: data: blob:; script-src ‘self’ ‘unsafe-inline’; frame-ancestors ‘self’; form-action ‘self’ https: ‘unsafe-inline'”

Error :

Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline'”.

at ./node_modules/react-refresh/runtime.js (react-refresh-runtime.js:29:1)
at __webpack_require__ (react-refresh-runtime.js:53:41)
at react-refresh-runtime.js:64:37
at react-refresh-runtime.js:67:12

Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline'”. data.js:345

at new Function ()
at data.js:345:30
at combineReducers (data.js:347:5)
at blocks.js:8559:97
at blocks.js:15470:2
at blocks.js:15472:12

When I add “unsafe-eval” to script-src in CSP, no error will be generated and works fine.

But I need it to work without adding “unsafe-eval” to script-src in CSP. So please suggest me some alternate approach.

Thanks

I really appreciate it if you help me to find a workaround for this issue quickly.

We are facing an issue in default WordPress after implementing Content-Security-Policy in httpd.conf file. (i.e. ROOT File)

Header append X-FRAME-OPTIONS "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set Strict-Transport-Security "max-age=31536000"
Header always set X-Content-Type-Options "nosniff"
<strong>Header always set Content-Security-Policy "default-src 'self'"

To draw your attention, I would like to inform you that We are trying to add in .htaccess. Header always set Content-Security-Policy “default-src ‘self’ script-src ‘self’ ” but it’s not allowing us.

Pls, refer to the below screenshot for more details.

https://prnt.sc/1q2n2xg
https://prnt.sc/1q2n7qh
https://prnt.sc/1q2qplm – Here you can see Editor is not working
https://prnt.sc/1q2qwnc – Here you can see Editor + Upload Featured Image not working
https://prnt.sc/1q2r87z – Here you can see comment Editor not working

Please help ASAP. So, I can be delivered things to my client quickly.

Thanks
Bhavin

`The source list for Content Security Policy directive ‘script-src’ contains an invalid source: ”strict-dynamic”. It will be ignored.’

It seems to be a known issue. But I haven’t come across any working solution.

Any chance to fix it so it doesn’t report an error in the console?

Thank you.

Best regards,
Jan

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.

related:
https://github.com/szchenghuang/react-google-invisible-recaptcha/issues/23

you can see the problem live on google demo
https://www.google.com/recaptcha/api2/demo?invisible=true (in browser console)

seems like the implementation is blocked by the Content Security Policy setting

Console Output in Safari:
[Error] The source list for Content Security Policy directive ‘script-src’ contains an invalid source: ”strict-dynamic”. It will be ignored.
[Error] The source list for Content Security Policy directive ‘script-src’ contains an invalid source: ”strict-dynamic”. It will be ignored. (x2)

Example of a CSP HTTP header would be

<?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.my-own-matomo-analytics-website.com; connect-src 'self'; img-src 'self' www.my-own-matomo-analytics-website.com; style-src 'self';";
 header($CSP);
}
?>

Currently this CSP header does not work with WP-Matomo plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

To make WP-Matomo CSP compatible, the tracking script would have to be loaded from a separate .js file.

Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

Example of a CSP HTTP header would be

<?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self'; style-src 'self';";
 header($CSP);
}
?>

Currently this CSP header does not work with ExactMetrics plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

To make ExactMetrics CSP compatible, the tracking script would have to be loaded from a separate .js file.

Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

For script-src, I am using an ‘unsafe-eval’ ‘unsafe-inline’ value
For style-src, I am using only an ‘unsafe-inline’ value

However, according to hardenize.com, these parameters shouldn’t be used because it renables insecure behavior that CSP disables by default. Here’s a more in-depth explanation as to why this website doesn’t recommended these values:

Script-src, unsafe-eval: By default, CSP doesn’t allow dynamic script execution via eval and friends, but this policy overrides that behavior by specifyin ‘unsafe-eval’ in the ‘script-src’ directive. As a result, XSS defenses provided by CSP are significantly weakened.

Script-src, unsafe-inline: By default, CSP doesn’t allow inline script execution, but this policy overrides that behavior by specifying ‘unsafe-inline’ in the ‘script-src’ directive. As a result, all XSS defenses provided by CSP are significantly weakened.

Style-src, unsafe-line: This policy allows inline styles. Although they are not as bad as inline scripts in terms of security, an injection bug in script area would allow the attacker to modify page appearance.

Do you have any sound recommendations to address these security concerns? If I delete these values, I end up getting many errors.

Thanks for the help like always and I apologize for taking so much of your time!

All my best,

Joe