script-src, unsafe-eval in CSP and editors

  • Hi WordPress team,

    I am using wordpress 6.2.2 with gutenberg editor. I introduced CSP in .htaccess file and from then when I click on “Add New” in “Page” tab it is generating errors with white blank screen. The CSP and Error are below…

    CSP :

    Content-Security-Policy “default-src ‘self’ https: ‘unsafe-inline’; object-src ‘none’; img-src ‘self’ https: data: blob: *.gravatar.com; style-src ‘self’ ‘unsafe-inline’; worker-src ‘self’ blob:; font-src ‘self’ https: data: blob:; child-src ‘self’ https: data: blob:; frame-src ‘self’ https: data: blob:; script-src ‘self’ ‘unsafe-inline’; frame-ancestors ‘self’; form-action ‘self’ https: ‘unsafe-inline'”

    Error :

    Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline'”.

    at ./node_modules/react-refresh/runtime.js (react-refresh-runtime.js:29:1)
    at __webpack_require__ (react-refresh-runtime.js:53:41)
    at react-refresh-runtime.js:64:37
    at react-refresh-runtime.js:67:12

    Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline'”. data.js:345

    at new Function ()
    at data.js:345:30
    at combineReducers (data.js:347:5)
    at blocks.js:8559:97
    at blocks.js:15470:2
    at blocks.js:15472:12

    When I add “unsafe-eval” to script-src in CSP, no error will be generated and works fine.

    But I need it to work without adding “unsafe-eval” to script-src in CSP. So please suggest me some alternate approach.

    Thanks

    • This topic was modified 1 year, 4 months ago by karthik7700.
Viewing 7 replies - 1 through 7 (of 7 total)

  • What happens if you disable all plugins and activate a stock WordPress theme (e.g. Twenty-Twenty-Two)?

    Thread Starter karthik7700

    (@karthik7700)

    Even after doing that the issue still persists.

    Thread Starter karthik7700

    (@karthik7700)

    The function call “new Function( ‘r,s,a’, fn )” in the function combineReducers( reducers ) of data.js file (You can refer line no. 487 in the below link for error line “return new Function( ‘r,s,a’, fn )” https://github.com/WordPress/WordPress/blob/master/wp-includes/js/dist/data.js )is causing the issue.

    if ‘unsafe-eval’ is present in CSP, “new Function( ‘r,s,a’, fn )” is executing properly and there will be no error.

    If I add your CSP to the .htaccess file of a test WordPress site (6.2.2) with the Gutenberg editor, when I click on “Add New” in “Page” tab, no error occurs and a new page is opened. The same outcome with “Add New” in the “Post” tab. Do you have any MU plugins installed?

    Thread Starter karthik7700

    (@karthik7700)

    1. I dont have any MU plugins installed.
    2. Are you able to see CSP in Response headers when you click “Add New” in “Page” tab?
      • In my case I was unable to see CSP in Response header as it was not enabled and error was also not there and page was opening.
      • I am using wamp server, so to enable it I opened hhtp.conf (C:\wamp\bin\apache\apache2.4.41\conf\httpd.conf) and uncommented the line “LoadModule headers_module modules/mod_headers.so“.
      • So from then I am able to see CSP in Response Header when I click “Add New” in “Page” tab and error is also getting generated and there is blank white page.

    Yes, when I add a new page and check, I can see the CSP in the response header (link). The site is hosted on a Linux server, and the CSP is added via the .htaccess file.

    Thread Starter karthik7700

    (@karthik7700)

    Please see these images and give some suggestions to solve this issue.

    https://snipboard.io/DKAQT9.jpg

    https://snipboard.io/IDncXg.jpg

    https://snipboard.io/Mk7D2p.jpg

    https://snipboard.io/cNAuDM.jpg

    https://snipboard.io/bOnJGC.jpg

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘script-src, unsafe-eval in CSP and editors’ is closed to new replies.