Doesn’t work with CSPv3 with “unsafe-eval” omitted

  • V.E.L

    (@vezraimanuel)


    3 days, 13 hours ago

    5***** stars for version 4.0!!

    My site using CSPv3 that exclude “unsafe-eval”, this plugin keeps complaining about it. The funny thing is the old version 4.0 works great, I am premium user until today and I STILL cannot update to the newest version 5.2.3 because of that CSP issue. Luckily I still have archive of the old version 4.0 and I still using it.

    Hopefully the dev will take notice about this matter. they should review how they made the 4.0, it’s the only version that works with high security header settings.

    Another note, this plugin broken vs CSPv3 since version 4.4.1.

Viewing 1 replies (of 1 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    I have already replied to your review, but for future reference, I’m copying my reply here as well:

    I appreciate your feedback.

    What you wrote is relevant only to the paid version of the plugin, while this is a support forum for the free version.

    Our free version uses canvas to render PDF file content, which is easily bypassable allowing visitors to save/download the PDF file. Our customers wanter security, so in the paid version we implemented what they wanted.

    The iframe approach in the paid version of the plugin creates a workaround of this problem. It was implemented in v5 of the plugin.

    I’m not aware of the settings that you have set for your server, but maybe it would be a good idea to contact us via a support form on our site? We would be glad to help.

    Also, maybe it’s a good idea to review your CSPv3 settings and allow iframes that are pointing to your own domain? This is quite easy and we could have discussed this via email support channel that we provide for all of our paying customers.

    Thank you for understanding.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.