monotux

Yes, that fixed the issue.

For any future readers, I had to add some headers to my nginx configuration. Below is something like what I did:

add_header X-Frame-Options           "SAMEORIGIN" always;
add_header X-XSS-Protection          "1; mode=block" always;
add_header X-Content-Type-Options    "nosniff" always;
add_header Referrer-Policy           "no-referrer-when-downgrade" always;
add_header Content-Security-Policy   "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

(I added this to my wordpress server declaration in my nginx configuration)

You can then use the developer mode in your browser to verify that you only have one content-security-policy, and that it’s inline with above.

As for why the plugin uses eval() with it’s well known issues is another matter to discuess.

Thanks for pointing me to that post!

Hi,

I’ve tried three additional themes, Miniva, Twenty Twenty, Twenty Sixteen (using Chaplin) but the issue remains.

I’ve tried disabling all plugins. The plugins currently in use:

All In One SEO Pack v3.7.1
Easy Google Fonts v1.4.4
Gutenberg v9.1.0
Login LockDown v1.8.1 (didn’t disable this tbh)
MetaSlider v3.18.2
Photo Gallery v1.5.62
Polylang v2.8.2
Title Remover v1.2.1

I’m running a nginx/fpm setup, but I’ve disabled all extra rules matching traffic so it’s all just either delivered as static assets or sent to the fpm worker pool.

As for installing, I’m only managing the VPS for my friend. But I think the setup has been fairly static except for updating plugins.

A screen recording that might explain it better. This is tested in Firefox, desktop version: https://imgur.com/a/BFeWWmB