wordfence WFLSVars are created without nonce or SRI hash

  • Resolved quu

    (@quu)


    3 years, 1 month ago

    Im am hardening a website, and while using CSP technique, I am disabling unsafe inline sccripts, and those can only run with an nonce or a hash of the script in it’s script tag’s “integrity” attribute.

    But the script pointing to ajax is output to the page without any of those:

    <script type='text/javascript' id='wordfence-ls-login-js-extra'>
/* <![CDATA[ */
var WFLSVars = {"ajaxurl":"https:\/\/my.domain\/admin-ajax\/","nonce":"4143373920","recaptchasitekey":"","useCAPTCHA":"","allowremember":"","verification":""};
/* ]]> */
</script>

    The nonce /inside/ the code changes every couple of hours or so, so the has for this whole script changes as well. effectively this is impossible to use as I cannot hash the script and add the hash to my CSP allowed hashes.
    Can I remove the nonce from there or can this have an integrity tag?
    relevant -> https://stackoverflow.com/questions/70855692/csp-and-script-localization-in-wordpress

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @quu, thanks for getting in touch.

    When implementing CSP on a site, this is likely to be an issue with multiple plugins as the majority of our customers will have other plugins using inline scripts.

    WordPress added some functions to dynamically add nonces for CSP and we are currently looking into adding them for a future version of Wordfence. We need to be careful that we don’t introduce conflicts with plugins or custom code that tries to address the same issue. This requirement has been logged with the development team as each request for a feature strengthens the case for prioritizing it. Naturally, I can’t comment on precise delivery dates here on the forums.

    Thanks,

    Peter.

    Thread Starter quu

    (@quu)

    Hey @wfpeter
    Thank you for replying.

    We do have several plugins, but I’m either able to hash their inline content, or get them in a file, both are good for our CSP.

    With this one instance, I have a problem because the nonce is inside the inline script. Can you suggest how to remove it altogether?
    Maybe add an option to use / no use, in the admin panel?
    Having this breaks our login page…

    Thank you

    Thread Starter quu

    (@quu)

    Hi, this is actually not resolved..
    Is there any update on this?
    The problem is only with Wordfence’s code being inline and not providing SRI hash for its own script.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘wordfence WFLSVars are created without nonce or SRI hash’ is closed to new replies.

Tags