My site using CSPv3 that exclude “unsafe-eval”, this plugin keeps complaining about it. The funny thing is the old version 4.0 works great, I am premium user until today and I STILL cannot update to the newest version 5.2.3 because of that CSP issue. Luckily I still have archive of the old version 4.0 and I still using it.
Hopefully the dev will take notice about this matter. they should review how they made the 4.0, it’s the only version that works with high security header settings.
Another note, this plugin broken vs CSPv3 since version 4.4.1.
]]>My site using CSPv3 that exclude “unsafe-eval”, this plugin keeps complaining about it. The funny thing is the old version 4.0 works great, I am premium user until today and I STILL cannot update to the newest version 5.2.3 because of that CSP issue. Luckily I still have archive of the old version 4.0 and I still using it.
Hopefully the dev will take notice about this matter. they should review how they made the 4.0, it’s the only version that works with high security header settings.
Another note, this plugin broken vs CSPv3 since version 4.4.1.
]]>I’m using NGINX. Is this plugin only for use with Apache servers?
]]>Thank-you
]]>I’m a Content Security Policy, and I would like to level up the security of my website. I’d like to use nonces, which I already get added in every CSS/JS of the pages.
However, since CSP nonces are generated for every single page visit, I’m looking for a way to bypass for certain page sections (links, javascripts) the cache and generate a new nonce.
Could you help me? I asked for your help 6 months ago in another topic.
]]>Console says: “Content-Security-Policy: Die Einstellungen der Seite haben das Laden einer Ressource (frame-src) auf https://www.youtube-nocookie.com/embed/OMcK8k0ZUIA?autoplay=1&controls=1&wmode=opaque&rel=0&egm=0&iv_load_policy=3&hd=0 blockiert, da sie gegen folgende Direktive verst??t: “default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval'””
As far as I understand it, CSP is a browser setting. So I can’t change that for users. Do you have an idea?
]]>The best practices are not use ‘unsafe-inline’ and ‘unsafe-eval’ for scripts.
To make a long story short, I coded the functionality of dynamic CSP (it calculates hashes or adds a nonce for inline and external scripts). Details are not so important, but I use standard WP functions and filters for scripts: wp_add_inline_script(), wp_print_inline_script_tag(), wp_localize_script(), etc. It allows me to add the SCP nonce to them or calculate hashes for them. Everything works well, but…
Your plugin outputs scripts in a not appropriate way without using any WP functions or filters (‘wp_script_attributes’, ‘wp_inline_script_attributes’). At least in the fix_malformed_script_link_tags(). It makes it impossible to implement CSP for your scripts and forces me to do dirty tricks to fix it. It’s really sad.
I urge you to support CSP and output JS scripts with WP functions/filters only (and don’t use inline handlers like onclick, etc.).
Thanks.
]]>The best practices are not use ‘unsafe-inline’ and ‘unsafe-eval’ for scripts.
To make a long story short, I coded the functionality of dynamic CSP (it calculates hashes or adds a nonce for inline and external scripts). Details are not so important, but I use standard WP functions and filters for scripts: wp_add_inline_script(), wp_print_inline_script_tag(), wp_localize_script(), etc. It allows me to add the SCP nonce to them or calculate hashes for them. Everything works well, but…
Your plugin outputs inline script with an inline handler in a not appropriate way without using any WP functions or filters (‘wp_inline_script_attributes’, ‘wp_script_attributes’). At least in the mo_saml_add_sso_button(). It makes impossible to implement CSP for your scripts and forces me to make dirty tricks to fix it. It’s really sad.
I urge you to support CSP and output JS scripts with WP functions/filters only (and don’t use inline handlers like onclick, etc.).
Thanks.
]]>I have a problem in website
(Fatal error: Uncaught Rubix\ML\Exceptions\RuntimeException: Estimator has not been trained. in /public_html/wp-content/plugins/no-unsafe-inline/vendor/rubix/ml/src/Classifiers/KNearestNeighbors.php:208 Stack trace: #0 /public_html/wp-content/plugins/no-unsafe-inline/src/Nunil_Manipulate_DOM.php(985): Rubix\ML\Classifiers\KNearestNeighbors->predict() #1 /public_html/wp-content/plugins/no-unsafe-inline/src/Nunil_Manipulate_DOM.php(416): NUNIL\Nunil_Manipulate_DOM->check_cluster_whitelist() #2 /public_html/wp-content/plugins/no-unsafe-inline/src/Nunil_Manipulate_DOM.php(302): NUNIL\Nunil_Manipulate_DOM->allow_inline() #3 /public_html/wp-content/plugins/no-unsafe-inline/src/Nunil_Manipulate_DOM.php(273): NUNIL\Nunil_Manipulate_DOM->manipulate_inline_scripts() #4 /public_html/wp-content/plugins/no-unsafe-inline/public/class-no-unsafe-inline-public.php(201): NUNIL\Nunil_Manipulate_DOM->get_local_csp() #5 /public_html/wp-includes/class-wp-hook.php(324): No_Unsafe_Inline_Public->filter_final_output() #6 /public_html/wp-includes/plugin.php(205): WP_Hook->apply_filters() #7 /public_html/wp-content/mu-plugins/no-unsafe-inline-output-buffering.php(46): apply_filters() #8 /public_html/wp-includes/class-wp-hook.php(324): {closure}() #9 /public_html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters() #10 /public_html/wp-includes/plugin.php(517): WP_Hook->do_action() #11 /public_html/wp-includes/load.php(1280): do_action() #12 [internal function]: shutdown_action_hook() #13 {main} thrown in /public_html/wp-content/plugins/no-unsafe-inline/vendor/rubix/ml/src/Classifiers/KNearestNeighbors.php on line 208)
and when deactivate plugin website work good. can you support me ?
]]>