I’m using NGINX. Is this plugin only for use with Apache servers?

Please consider moving the scripts to linked files. If that isn’t possible, please print them in the right way so that we can add a nonce to them using the wp_script_attributes filter.

I wonder if you could consider making two improvements to the Presto Player? I’d like to submit them as feature requests.

First, some Presto Player assets are loaded on pages without any Presto Player blocks. Please load the assets conditionally.

Second, Presto Player adds insecure inline-scripts, making Presto Player incompatible with secure CSPs (we must add the unsafe-inline attribute to our sites’ CSPs). Please move all scripts to files. If that requires too much work, please enqueue them so that their attributes are filterable with wp_script_attributes, introduced in WordPress 5.7.

If you add the scripts as files, you make Presto Player compatible with static secure CSPs. If you add the scripts inline though filterable with wp_script_attributes, you make Presto Player compatible with dynamic CSPs (which is better than nothing).

Best regards
Karl Emil Nikka

I have added some CSP headers for my page and wanted to avoided enabeling ‘unsafe-inline’ for script-src. If i leave the unsafe-inline option out in my evolve theme i get error messages due not executed functions e.g. to missing variables (Uncaught ReferenceError: evolve_js_local_vars is not defined) which seem to be implemented as an inline script in the evolve theme.

Do you have any advise for me how i can used the evolve theme but still have hte unsafe-inline option disabled?

Thank you very much

(‘//mysite.com/?wordfence_lh=1&hid=A49E4F44F688F7A6996859429437F777’);

where the value of hid is generated dynamically, changing every time the page is displayed.

I am attempting to implement a Content Security Policy for my site in which it is not necessary to use the “unsafe-inline” directive. But to do this, I must either include hashes of all inline scripts or a nonce. I see no way to use nonces, but it is impossible to use hashes, too, if the script itself changes dynamically.

So, my question is whether it is really necessary to include that dynamic hid in the script? Or, can you suggest a way to avoid the potential security issue of using “unsafe-inline”? As far as I can see, the only real solution (assuming I want to continue to use Wordfence) is to change the code in the plugin to do want you want to do without dynamic, inline scripts.

My site uses a CSP not allowing ‘unsafe-eval’ script sources.
So on a page with your filter, I get the following error:

jquery.slider.js?ver=1.3.5:710 Uncaught EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ blob: ‘unsafe-inline’

May be interesting to treat this one?

Thank you for your good product anyway.

WP admin (core) appears to require the ‘unsafe-line’ value for the ‘script-src’ CSP directive. The ‘unsafe-line’ value is also used in your screenshot example (https://ps.w.org/http-security/assets/screenshot-2.png?rev=1665126).

However, including ‘unsafe-line’ producing the warning, “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.” using the security header scanning tool you recommend (https://securityheaders.com/?q=villagebankmortgage.com&followRedirects=on). It’s my understanding that allowing ‘unsafe-inline’ is one of the most common ways a WordPress website can be compromised.

How can we set a Content-Security-Policy for WordPress Admin that does not produce any security warnings?

Thank you

Example of a CSP HTTP header would be

<?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.my-own-matomo-analytics-website.com; connect-src 'self'; img-src 'self' www.my-own-matomo-analytics-website.com; style-src 'self';";
 header($CSP);
}
?>

Currently this CSP header does not work with WP-Matomo plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

To make WP-Matomo CSP compatible, the tracking script would have to be loaded from a separate .js file.

Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?

Example of a CSP HTTP header would be

<?php
add_action('send_headers', 'set_CSP_header');
add_action('login_init', 'set_CSP_header');
add_action('admin_init', 'set_CSP_header');

function set_CSP_header() {
 $CSP = "Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self'; style-src 'self';";
 header($CSP);
}
?>

Currently this CSP header does not work with ExactMetrics plugin because it blocks the tracking script from loading. Website adminstrators would have to have ‘unsafe-line’ in the script-src directive to allow loading of the tracking script. Using ‘unsafe-inline’ removes most of the XSS protection that CSP is able to give.

To make ExactMetrics CSP compatible, the tracking script would have to be loaded from a separate .js file.

Are you planning on adding this feature? If yes, when? If no, what would be the challenges in making this plugin CSP compatible?