• Resolved frgtech

    (@frgtech)


    Hi,
    I’m still wrapping my head around all of this, but the best that I can tell is that there are parts of this code that are not compliant with having a CSP policy. In particular, I have to use a statement in my policy to allow for this code using the ‘unsafe-eval’ tag for the script-src field.

    Please forgive me if I’ve overlooking anything. I have been following the guide here to set up my policy, and I may be misinterpreting something.

    Thank you for any information you might be able to provide.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Jordy Meow

    (@tigroumeow)

    Hi,

    I am not sure; which lines exactly are you referring to? Inline JS?

    Thread Starter frgtech

    (@frgtech)

    Thanks for the response.

    I’m using the Autoptimize plugin to help condense the code, but when I’m testing my CSP policy without the ‘unsafe-eval’ tag for the script-src field, I can see the errors in Chromes’s dev tools like this.

    [Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src https 'self' cdnres.willyweather.com connect.facebook.net www.google-analytics.com www.googletagmanager.com tides.tidegraph.com".
    
    (anonymous) @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    GlobalData @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    n @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    (anonymous) @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    n @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    GlobalData @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    n @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    (anonymous) @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    (anonymous) @ autoptimize_f557a51613aa741a7aabad229edb64b9.js:60
    

    Line 60 is the following code.
    https://pastebin.com/mTS7SzJN

    Best I can tell, this is for the MGL plugin.

    I apologize again if I’m reading this wrong. I’m just trying to harden my site and use the available tools to make it safe.

    Thanks!

    Thread Starter frgtech

    (@frgtech)

    I see this is marked resolved now.

    Did I miss something?

    Plugin Author Jordy Meow

    (@tigroumeow)

    Hi,

    I am sorry, but I don’t really understand the issue ?? The plugin is safe right now, it went through a very intense security check, so if you really think there is a problem, please tell me exactly what it is; I don’t think anything problematic here really ??

    Also this:

    [Report Only] Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src https ‘self’ cdnres.willyweather.com connect.facebook.net https://www.google-analytics.com https://www.googletagmanager.com tides.tidegraph.com”.

    It’s not related to the plugin, but other plugins which are using scripts hosted externally.

    Thread Starter frgtech

    (@frgtech)

    Hi Jordy,
    Thank you for the reply.

    I never thought for a second that your script was unsafe, but to actually use these security features that are designed to keep sites safe moving forward (CSP), certain ways code is used might need to be adjusted. In this case it was unsafe-eval that was the issue. I read about it a bit here.

    As for the other issues you pointed out, you are correct. I was trying to deal with each issue separately and looking for solutions. There are some types of code I can create a hash or a nounce for because the code is static and I can do it once and forget it. Some code is dynamic and it’s then like playing whack-a-mole to create hashes for every possible scenario. By declaring to allow unsafe-eval for once script though, you allow it for all.

    It seems to me that there are too many factors to implement a safe CSP right now. My WordPress site is very small and not very complex and I’m finding it near impossible to set a meaningful CSP without opening the barn doors. I could just get rid of anything unsafe and not have a very interesting site, but that’s not really an option.

    So if anything, maybe I was able to put this on your radar for consideration in the future. It would be something you could tout as a security feature vs other addons out there.

    Thanks anyway.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘CSP Issues’ is closed to new replies.