I’ve been trying to use CSP Manager to fix a bunch of stuff being blocked.

Something has changed and now when I goto appearance -> customize I get “This content is blocked. Contact the site owner to fix the issue.”

I have CSP Manager Admin policy to Disabled.
Also logged-in policy to disabled.

Here is what is in .htaccess
This was added from another plugin I tried to get things working.

Header add Content-Security-Policy “default-src ‘self’;font-src fonts.gstatic.com https: data:;style-src ‘self’ ‘unsafe-inline’ fonts.googleapis.com ;img-src ‘self’ https: data:;script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://secure.torn6back.com https://www.googletagmanager.com https://js.hsforms.net https://js.hs-scripts.com https://ws.zoominfo.com https://www.google-analytics.com https://js.hs-analytics.net https://js.hsleadflows.net https://js.hscollectedforms.net https://js.hsadspixel.net https://js.hs-banner.com https://tags.clickagy.com https://www.google.com https://snap.licdn.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.gstatic.com;connect-src ‘self’ https://forms.hsforms.com https://hubspot-forms-sttic-embed.s3.amazonaws.com https://www.google-analytics.com https://api.hubapi.com https://forms.hubspot.com https://stats.g.doubleclick.net https://aorta.clickagy.com https://hemsync.clickagy.com https://ws.zoominfo.com https://idx.liadm.com;frame-src https://www.google.com https://www.youtube.com”
Header set X-XSS-Protection “1; mode=block”

Any help on how I could get CSP disabled again for Admin/Loggedin users?

That would be a very welcome addition, other than that excellent plugin ??

I’m trying to add a CSP rule to enable embedding content from player.streamguys.com in an iframe.
I added the url to the Policy: frame-src entry but the content is still blocked. Where does CSP Manager make changes? If I knew which file(s) to look at I may be able to see what is happening (or not). Right now I’m shooting in the dark.

Hi,

I am not able to activate this plugin on this site https://alma-event.devtomaster.com/.
my php version is – 7.2 and I have updated my PHP version to 7.4 and my WordPress Version is 5.9. but still getting errors like
Parse error: syntax error, unexpected ‘)’ in /var/www/nft-alma_event/wp-content/plugins/csp-manager/src/CSP_Manager/Settings.php on line 321

Hi, does the plugin support using nonce ? lost of scripts require it.

Up front, I don’t think this is actually a problem with the plugin. I think the plugin works fine.

What’s weird is that it seemed like either Nexcess’ Page Cache or maybe CloudFlare is stripping CSP headers from cached pages.

If I use a tool like https://csp-evaluator.withgoogle.com/ sometimes it sees the CSP header, sometimes it doesn’t. It seems like if I add a cache busting query string I always see the CSP header. If I don’t, no CSP header. Cache cleared, and this has gone on for days. Disabling those things though doesn’t bring back CSP 100% of the time either.

Nexcess also has an nginx proxy independent of page caching I think, I wonder if that’s causing it.

Maybe someone has other ideas?

Hi there,

it’s quite strange but I don’t have any CSP setted in the headers when I’m not logged in.
I have some in the admin and when I’m logged.
For the three cases I’m in enforce mode.
Any help would be appreciated

Mat

I can’t seem to get this to output anything. The only directive I’ve added is for
Policy: report-to to which I’ve added my report-uri url.

Viewing source, clearing/bypassing cache I don’t see anything CSP added to the source.

Feature suggestions.
1) Option to apply same CSP to admin/logged-in/front-end. It’s super obnoxious to replicate settings for all 3 separately, and took me a while to even realize “logged-in and Frontend” were there at the bottom.
2) A tabbed interface for admin/logged-in/front-end. I suspect this is maybe what was alluded to in the 1.1 change log… but #1 ought to be even more important.
3) An “add permissive settings as defaults” button. Yes, CSPs should be restrictive, but a lot of people are just going to want a CSP and want ot to be fully permissive (allow everything) then restrict things down one by one.

It’s super daunting to me to start with WP sites by generating very restrictive CSP. There are always pages that break when I do that, so way more reliable to setup a wide open policy, then report on it… then slowly lock things down and look for breakage.

I’m on the report only, had lists of errors from Sentry, but how do I fill the sites in the box? do I use quotes?, do I need https://, does it separated by space or newline?. help..

Also securityheaders said that csp is not on despite I put several ‘self’, the site also behind Cloudflare tho

thanks

• This topic was modified 3 years, 7 months ago by gadelaza.

In Firefox, I’m getting an error of
Content Security Policy: The page’s settings blocked the loading of a resource at https://morgridge.org/news/page/2/ (“default-src”).

I don’t understand why /news/page/2/ is being called and also not sure why it is only happening in Firefox. This only happens no the homepage.

Hi there,

I noticed that frame-ancestors isn’t a policy on this?

Could that be added?

I noticed that Google’s CSP evaluator recommends adding: require-trusted-types-for ‘script’; to the header.

How is one able to add this via CSP manager plugin?