Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP

  • Resolved MartinBY

    (@canoaby)


    4 years, 7 months ago

    When using a CSP at .htaccess level, the PopUp is blocked.

    Is there any hint for correct stting?

    Best regards,

    Martin

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Aert Hulsebos

    (@aahulsebos)

    Hi @canoaby,

    I’ll have a look if I can reproduce the issue. Did you add CSP yourself, or with a plugin like Really Simple SSL Pro?

    regards Aert

    Thread Starter MartinBY

    (@canoaby)

    Hi Aert,

    no, I added following within .htaccess: (mostly as the given example by Matomo)

    Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
    Content-Security-Policy: default-src ‘self’ https://cookiedatabase.org; script-src ‘self’ https://goerres-web.de/piwik https://cookiedatabase.org; img-src ‘self’ https://cookiedatabase.org https://goerres-web.de/piwik https://s.w.org https://www.remarpro.com; style-src ‘self’; frame-ancestors ‘self’; frame-src ‘self’;
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Referrer-Policy: no-referrer

    I tested severel variants, but also Matomo is getting problems when trying to add the Opt-out code. When using CSP Matomos login as admin fails also.

    When running a scan on https://webbkoll.dataskydd.net/de the quality result is perfect.

    Best regards,
    Martin

    Plugin Author Aert Hulsebos

    (@aahulsebos)

    Hi @canoaby,

    In both cases (including Matomo), it is likely inline script is blocked. You can use ‘unsafe-inline’ for this purpose.

    regards Aert

    Plugin Author Aert Hulsebos

    (@aahulsebos)

    Hi @canoaby,

    It looks like, including Matomo, inline script is blocked. You can use ‘unsafe-inline’ for this purpose.

    regards Aert

    • This reply was modified 4 years, 7 months ago by Aert Hulsebos.
    • This reply was modified 4 years, 7 months ago by Aert Hulsebos. Reason: (Double, first one didn’t appear instant)
    Thread Starter MartinBY

    (@canoaby)

    Hi Aert,

    thank you very much for your quick and profund response.

    Changing the policy let all work fine but reduced the security level.

    Here my actual policy
    default-src ‘none’ ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; object-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ ; img-src ‘self’ https://goerres-web.de/piwik https://s.w.org https://www.remarpro.com; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; frame-ancestors ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; frame-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;

    Best Regards,
    Martin

    Plugin Contributor Rogier Lankhorst

    (@rogierlankhorst)

    @canoaby in practice, it is not possible to use CSP in WordPress without the unsafe inline, because a lot of plugins and tools depend on snippets of inline script. For example google analytics, Matomo, and Complianz as well.

    Thread Starter MartinBY

    (@canoaby)

    @rogierlankhorst , yes I agree and different browser react different on CSPs. So Safari on Ipad let me enter Matomo login but Edge on Win10 not.

    Same in WP admin mode using the theme customizer:
    Using CSP including “frame-ancestors ‘self’ ‘unsafe-inline’ ‘unsafe-eval’” IPAD shows previews of changes, Edge blocks it for preview. So I have to remove frame-ancestors from CSP.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Content-Security-Policy (CSP) & X-Frame-Options blocks POPUP’ is closed to new replies.

Tags