Perhaps someone here can advise me. The plugin log reports a series of violations of font-src where the blocked URL is chrome-extension. The log entry has the remark “Unknown blocked URI – could not be parsed: chrome-extension”. The client browser is Firefox 76.0. The log does not propose any actions to handle the violation.

When I view the page in my own Firefox 76.0 browser there are no apparent issues with any fonts. When I view the Apache access log I see that the client simply requested the URL in question. This is followed by a series of 14 entries:
POST /wp-json/wpcsp/v1/route/LogPolicyViolation?_wpnonce=662363f4c3 HTTP/2.0

The directive for font-src is:
‘self’
code.ionicframework.com
data:
fonts.googleapis.com
fonts.gstatic.com
https://use.fontawesome.com
https://use.fontawesome.com
https://use.typekit.net

The URL in question has previously been requested by many different clients and has never previously generated any policy violations.

So I am trying to understand what has happened and what to do about it. Was this a fluke? A subtle form of attack by a hacker? Do I need to change the directive?

Hi,

Just noticed that development of this plugin seems to be dead in the water.

Is this plugin being supported anymore, or has development and maintenance on it ceased?

– Jim

I note that the following warning now appears in my php error log:

PHP message: PHP Warning: Cannot modify header information – headers already sent by (output started at /blahblah/wp-content/plugins/yoast-seo-search-index-purge/src/Yoast_Purge_Attachment_Page_Server.php:46) in /blahblah/wp-content/plugins/wp-content-security-policy/includes/WP_CSP.php on line 548

I don’t know if this a latent mistake in Content Security Policy that only started to appear with the upgrade of the Yoast plugin to 11.2.1, or if the error is in the Yoast plugin. You might wish to investigate.

This discussion might be relevant:
https://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php

Noticed this in console with latest Firefox on my personal site:

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.

Please, enhance settings documentation with examples.

My doubt cases:

• Form Action: https://example.net/ AND/OR https://example.net/myform.php
• Frame Ancestors: ‘self’
• Plugin Types: “Good ones”
• URLs to Ignore: https://self.example.net/ OR ‘self’

Using version 2.3 of plugin.
I seek advice in interpreting the information provided in the log.
For example, there is an entry in the log that the img-src directive has been violated (103 times). The blocked URL is given as https://licensebuttons.net (that is, there is no specific image indicated). If I look at the html code for any of the pages requested, according to the log, none of them contain a link to an img located at the blocked URL. In fact, that URL appears in no file anywhere on the site, nor does it appear anywhere in the wp_posts table. Finally, the rendered pages that are said to have blocked images do not appear to be missing any images at all.
So, I am trying to understand how these entries are being logged. What could account for them? Why do I not see an indication of the precise URL of the img that is in violation?
Thanks in advance for your help.

Not sure when, but the headers suddenly stopped being applied to my site. Noticed the plugin hasn’t been updated in nearly a year, is it possible it needs updating for new wordpress versions?

Loved the plugin, would be a shame if it’s abandoned

Edit: Huh. Deactivated and reactivated the plugin, cleared some options and all my caches and suddenly it seems to be working again.

• This topic was modified 6 years, 2 months ago by sirtaptap.

November 30, 2018: “During the use of a web app we can leave various pieces of data in the browser that we’d like to clear out if the user logs out or deletes their account. Clear Site Data gives us a reliable way to do that.”
https://scotthelme.co.uk/a-new-security-header-clear-site-data/

Can you add support for this new header?

On multiple sites the gadwp-sel-period-1 and -report-1 list boxes are hidden by the google map that is displayed. It is the item on the dashboard. So I can not select any other display option. I can see it while the screen builds up, but then it is covered by the rest of tehe DIV.
These boxes are on top within the gadwp-container-1 that is displayed on the Dashboard page in admin view.

It has cost me some time to discover the problem.
Just now I have found out that the plugin ‘WP Content Security Policy Plugin’ causes this problem. Disabling this plugin solves it.

Why is still unclear to me. Inspector shows nothing blocked.

Please have a look at this problem. I like the plugin and features bidden!

I have a website which uses a (rather old) plugin called “Require logins”.
If I have it enabled it shows a login box prior to allowing users access to content.

At the same time, the problem is that this also seems to prevent verifying CSP policys.

I’m not sure whether you can give any hints in this, since you naturally would not know other plugins than your own, but if you have any ideas on how to get around this I’d be grateful. As a workaround I can of course temporarily disable the plugin, scan and then re-enable it, but I would if possible like to avoid that.

Repro:
Install version 2.3 of plugin
Load Content Security Policies section.
Search for child.
Find one reference to this field, but no ability to set it.

If you set frame src, this will also emit as child src on the header. However, the documentation available on CSP indicates that frame src is deprecated, so I’d expect the plugin to show a separate field for child src, and a note about frame src being deprecated.

Repro:
Install version 2.3 of plugin on an up-to-date WordPress
Set a policy for worker src or similar and save
Go to CSP control tab
Set a report URI, report only to https://[yourdomain].report-uri.com/
Click save.

Page confirms that the options were saved, but the report only field is now empty.
Checking with securityheaders.io confirms that the report-uri parameter is not being sent.

• This topic was modified 6 years, 5 months ago by bajandh.
• This topic was modified 6 years, 5 months ago by bajandh.

I test drove the plugin and love it – thank you for doing this, Dylan. Unfortunately I have REST API disabled so error reporting doesn’t work once I start enforcing the rules. I gotta choose between REST API security risks and no-CSP security risks, and I’m leaning no-CSP. Any chance a future version could do error reporting some other way that does not use REST API? Again, great plugin – you are awesome for creating it and making available for free.

Please introduce the new Feature-Policy as decribed on https://scotthelme.co.uk/a-new-security-header-feature-policy/
It is introduced this year.

I found that this plugin already support nonce. But have you considered Subresource Integrity (SRI) with integrity header? It could provide better security against MIM attacks.

I like the plugin. It works fine on other sites.
One one site it does not put anything in the headers. Not even SAMEORIGIN. Using SOPHOS testing shows only the Strict Transport Security that I have activated for all sites in the httpd of Apache.
I checked settings and the are the same as sites that work.
There is a WPML multilanguage plugin active. Could that have this effect?
There are no errors when WP in debug mode.

An other plugin (secure headers) works. But since this plugin has no content options, I prefer the WP Content Security Plugin.

The title says all

Hello!

Again thanks for this plugin!

But why does it enqueue jQuery UI from Google-CDN? I thought, a privacy sensitive plugins will avoid third party requests. The plugin still works if I dequeue it…

Best regards,
Heiko

Hello!

Thank you for this great plugin!

My customizer violates my CSP rules because it needs ‘unsafe-inline’ for script src. Is is or will it be somehow possible to set a different CSP for /wp-admin/ or the customizer?

Thanks in advance!

Best regards,
Heiko

Hi there,

Could you please add an Import/Export function? This would be very helpful, especially in a multisite.

Hi Dylan,

For script-src, I am using an ‘unsafe-eval’ ‘unsafe-inline’ value
For style-src, I am using only an ‘unsafe-inline’ value

However, according to hardenize.com, these parameters shouldn’t be used because it renables insecure behavior that CSP disables by default. Here’s a more in-depth explanation as to why this website doesn’t recommended these values:

Script-src, unsafe-eval: By default, CSP doesn’t allow dynamic script execution via eval and friends, but this policy overrides that behavior by specifyin ‘unsafe-eval’ in the ‘script-src’ directive. As a result, XSS defenses provided by CSP are significantly weakened.

Script-src, unsafe-inline: By default, CSP doesn’t allow inline script execution, but this policy overrides that behavior by specifying ‘unsafe-inline’ in the ‘script-src’ directive. As a result, all XSS defenses provided by CSP are significantly weakened.

Style-src, unsafe-line: This policy allows inline styles. Although they are not as bad as inline scripts in terms of security, an injection bug in script area would allow the attacker to modify page appearance.

Do you have any sound recommendations to address these security concerns? If I delete these values, I end up getting many errors.

Thanks for the help like always and I apologize for taking so much of your time!

All my best,

Joe

Hi,

I installed WP Content Security Policy Plugin Version 2.3 on a website and had some problems with CSS.
In fact, jQuery UI, loaded with the init function in WP_CSP_Admin. php file is also loaded forward, and this is not compatible with the style of the website.

I arrived at this conclusion by deactivating the plugin, then just commenting on line 108 of the file mentioned above.

Could you change that to load them only in admin pages please ? Thanks ??

Hi Dylan,

Sorry to bother you again.

Quick question: My domain is https://www.resurrectedhair.net. After enabling CSPs, I got a few errors I need to fix. I notice the log presents the errors some relating to my URL others for gravatar and google.

For specific errors specifically pertaining to my domain name, should I allow access for any path and any filename?

For example, this blocked URL violates the script-src CSP: https://www.resurrectedhair.net/…/…/…core.min.js? (didn’t disclose the full file path to remain clandestine).

Looking at the log, I can just either allow access to any path and any filename so the script-src box will show https://www.resurrectedhair.net once and once only. Or I can click the any path and any filename drop down box in the log and select the specific file path and name to allow access to. So, the script-src box will read: https://www.resurrectedhair.net/…/…/…core.min.js.

However, if I choose to allow access under option #2, any other CSP violation pertaining to the same or a different directive will show the full path I granted the blocked URL full access to. This will look messy and somewhat redundant. More importantly, those sensitive file paths and names will be leaked publicly via developer tools.

I am thinking just to list only my domain name and keeping the blocked URL set to any path and any filename without selecting any specific path or filename.

I hope this makes sense and any guidance, since I am still new, would be generously appreciated!

Thanks!

All my best,

Joe

Hi there,

I have been using the plugin for a while and love it, it works great. However I am seeing a lot of blocked URL’s that don’t make sense to me, I have no background in web security so this isn’t a surprise.

Why would the log be showing that it blocked URL’s for
https://www.google.co.in,
https://www.google.co.za,
https://www.google.co.zw,
https://www.google.is,
https://kifkofcom-a.akamaihd.net/o?extid=obokcenokphfljgofbojaoaojgcpknfh&apid=http%3A%2F%2Fapi.kifkof.com&sDom=http%3A%2F%2Fkifkofcom-a.akamaihd.net&sid=C5JE3&ipa=2.25.212.158,
https://rocket.ribblesdale.org

and tons more. There are no links to any resource, script, image or otherwise, to any of these sites that I am aware of. We do not use AdSense for generating income etc. but we do have an AdGrants account for AdWords.

I have done a manual screen for Malware searching WP folders, Sucuri, Gravity Scan and WPMU’s Defender picked up nothing and I even got WP Engine to do a deep scan for Malware and they say all is clear.

Thanks for the plugin, hopefully you’ll be bale to help me better understand how it’s working.

Stuart

Hello Dyan,

First off, kudos to a job well done! I am loving this plugin inside out.

AS per your recommended instructions, upon initial setup, I made sure the CSP mode was set to Report Only. After scanning through my CSP log and Console in Google developer tools, I added the necessary content security polices to eliminate the errors.

When I changed and saved the mode to “enforce policies”, I noticed when I use an online tool called CSP evaluator: https://csp-evaluator.withgoogle.com/, or Security Headers: https://securityheaders.io/, the results still show I don’t have a CSP enforced.

However, after reading your post in this thread:
https://www.ads-software.com/support/topic/not-currently-showing-up-in-scans-from-anyone/
“Have a look at the network tab in developer tools and see if the initial page requested has Content-security-policy headers set.”

when I navigate to the Network tab in Google Developer tools, I do see all the CSPs under Response headers.

Does this mean my CSPs are enforced correctly?

Why are those two particular online CSP scanners telling me a different story? Is it because none of these CSPs are stored in my htaccess or apache.conf files?

Thanks for all you do Dylan! Your contribution and support are stupendous!

All my best,

Joe

• This topic was modified 7 years, 1 month ago by rebornhairppp.
• This topic was modified 7 years, 1 month ago by rebornhairppp.

Hello, I cant enforce a CSP enforce. I press save and there is no error message, but it doenst save

Hi

I updated the plugin to version 2.2 and found following issues:
– setting CSP mode to enforced does not work, switches back to not in use (setting CSP mode to reporting only works)
– clicking Internal Test URL checker button does nothing (no visible output)

Martin

Thank you for this plugin – designing CSP policy using this plugin was quick, easy and quite eye-opening.

I have a change suggestion – add HSTS preload with includeSubDomains option, since Google HSTS Preload list (https://hstspreload.org/) requires both. What do you think?

Martin

WP Content Security Policy Log I get this

Violated Directive	Blocked URL	Count	Action
style-src	self	24	View Errors
No host name set - you need to add this entry manually.

Adding ‘self’ to style-src doesn’t help
Adding https://example.com doesn’t help

Same error for script-src

How / where do I set the entry for host name manually?

Ubuntu 16.04.2 server with multiple virtual hosts

when I attempt to clear the log file using the blue button on the csp log admin page I get the following error:

error: {“code”:”rest_no_route”,”message”:”No route was found matching the URL and request method”,”data”:{“status”:404}}
Please Retry.

Is there a way to manually clear the logs?

I also receive the following error when I press the “Allow SCRIPT-SRC access” button

error: {“code”:”rest_no_route”,”message”:”No route was found matching the URL and request method”,”data”:{“status”:404}}
Please Retry.

I assume it’s related but I since I am able to manually add items to the CSP options page it is not a big deal – being able to clear the logs would be nice though.

Thanks,

Joe