style-src

  • Resolved fuzzy21

    (@fuzzy21)


    4 months, 4 weeks ago

    I cannot figure out how to fix this:

    [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ https: https://cdnjs.cloudflare.com https://script.crazyegg.com ‘nonce-2214f199ebd499f0d215-shortened’ ‘report-sample'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-d5AXR2g0ALC-shortened’), or a nonce (‘nonce-…’) is required to enable inline execution.

    I whitelisted all the urls.

    I have nonce enabled on style-src. Is there something else need to do?

    This is happening on the default WordPress page of the site. It’s an internal site, so I don’t ahve a url.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Giuseppe

    (@mociofiletto)

    I think you should include the 2 domains in your script-src directive from the “base rules” tab and chose nonce for external sources in script-src (the option is in the settings tab)

    Thread Starter fuzzy21

    (@fuzzy21)

    I entered the domains and nonce was selected, but still not working. The domain is whitelisted as well. I changed to hash and then back to nonce, but still…

    Plugin Author Giuseppe

    (@mociofiletto)

    In your previous message you said that nonce was enabled for style-src and not for script-src. Can you double check it and post a screenshot of your settings?

    More, can you post the relevant part of the html with the <script> tags that require those sources?

    There could be a problem if those tags are added by another script that uses appendChild() or insertBefore() (I am working on this for next release) but it is impossible to guess it, if I cannot see the page.

    Thread Starter fuzzy21

    (@fuzzy21)

    Hopefully you can see those. Settings are both nonce…

    Plugin Author Giuseppe

    (@mociofiletto)

    that is not an external script, but an inline one.

    Please, enable nonce for inline scripts too (it is another option called inline_scripts_mode ) and it is just beyond SRI options.

    Do you know how it is added to the page? It is after the html closing tab, why?

    Thread Starter fuzzy21

    (@fuzzy21)

    inline scripts is set to nonce.

    It is Query Monitor plugin that is putting it in there.

    Thanks,

    Plugin Author Giuseppe

    (@mociofiletto)

    @fuzzy21 I’m working on this issue.

    The problem is:
    no-unsafe-inline (via its mu-plugin) adds a closure to the shutdown action hook with 0 priority (and this is needed to be sure that the closure is executed before wp runs ob_end_flush() on each open output buffer level);

    query-monitor adds to the shutdown hook an action to dispatch its output with a priority of 9 https://github.com/johnbillion/query-monitor/blob/2b58634b37b8e7de52d8363c741053f42b7c8079/dispatchers/Html.php#L52

    This causes that the action added by query monitor runs after that no-unsafe-inline performs its stuff, and this is why the query-monitor inline scripts are not captured (and cannot be whitelisted).

    However, if I simply increase the priority of the no-unsafe-inline closure to something bigger than 9, it will run after that wp default action has run because the wp core adds this action with a priority of 1:

    https://github.com/WordPress/wordpress-develop/blob/e3e7fdbf7c3fd9f04871118a16b98f1544e94984/src/wp-includes/default-filters.php#L413

    Now I’m testing a solution that will early remove the default wp action when no-unsafe-inline is in place, and then, arise the no-unsafe-inline closure priority to be sure it runs after all others actions added to the shutdown hook.

    Please, wait for next release, and thanks for reporting.

    Thread Starter fuzzy21

    (@fuzzy21)

    Great, thank you, looking forward to trying it.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.