Contact Form 7 and CSP / Content Security Policy

  • Hi,
    first of all let me thank you for your great plugin which really is a huge help for us on many websites! ??

    For security reasons, we are forced to use a strict CSP (content security policy) on a new website where “unsafe-inline” or “unsafe-eval” is no longer possible/allowed. (Just to mention it, not allowing unsafe inline code execution is very reasonable and will probably be introduced by more and more websites and hosters).

    Unfortunately, CF7 together with the reCaptcha addon are creating inline code, which causes a lot of console errors (due to the CSP settings) and therefore also leads to the reCaptcha not being displayed and the form not working.

    We already saw this ticket: https://www.ads-software.com/support/topic/csp-and-unsafe-inline/ but unfortunately there doesn’t seem to be a solution yet.

    We are creating a nonce to be used together with the CSP rule, so that’s what our CSP rule for script-src looks like:

    script-src 'self' 'nonce-" . $_SESSION['script-nonce'] . "'

    For all scripts that are embedded by WordPress, we add this nonce in functions.php to make them work, which works just fine:

    add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {

    $search = "type='text/javascript'";
    $replace = "type='text/javascript' nonce='".$_SESSION['script-nonce']."' ";
    $subject = $tag;

    $output = str_replace($search, $replace, $subject);
    return $output;
}

    This way, for example also your plugin’s script is being loaded using the nonce and therefore being validated:

    <script nonce='ot353ENqk7DMURbcOQIseNdynRQWckKbBYsO6qN2/1E=' src='https://OURDOMAIN/wp-content/plugins/contact-form-7/includes/js/scripts.js'></script>

    The only issue we are having is with the inline <script> tags generated by your plugin and/or the reCaptcha addon. So stuff like that:

    <script >var wpcf7 = {"apiSettings":{"root":"https:\/\/OURDOMAIN\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}};</script>

    In my opinion, it would be very easy to get this to work as well if we could apply a similar filter so we could add the nonce to the inline <script> tags as well, so the filtered output should be something like that:

    <script nonce='ot353ENqk7DMURbcOQIseNdynRQWckKbBYsO6qN2/1E='>var wpcf7 = {"apiSettings":{"root":"https:\/\/OURDOMAIN\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}};</script>

    Is there any filter existing that we could use for this, or would it be possible for you to add such a filter to your plugin? This would be a great help and I’m pretty sure we wouldn’t be the only ones to benefit from this.

    Thank you very much in advance!

    • This topic was modified 4 years, 9 months ago by m3h1nd3r.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    It uses the wp_footer action hook to output the script so you can once remove the wpcf7_recaptcha_onload_script function from the hook and add your own function to it.

    Thread Starter m3h1nd3r

    (@m3h1nd3r)

    Thanks! But the CSP issues don’t seem to be caused by this script only, there are also two general CF7 scripts that create inline code and would require the nonce. Are there any filters that we could hook in to add the required nonces for those?

    <script >
/* <![CDATA[ */
var wpcf7 = {"apiSettings":{"root":"https:\/\/OURDOMAIN\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}};
/* ]]> */
</script>
    <script >
/* <![CDATA[ */
var wpcf7iqfix = {"recaptcha_empty":"Bitte best\u00e4tige, dass du kein Roboter bist."};
/* ]]> */
</script>

    Any chance you could add a custom filter to the plugin that would allow us (and anyone else with this issue) to communicate the nonce to CF7, so it would be appended to the <script> tags? We would really like to avoid patching the plugin, as we could no longer update it in this case.

    Thread Starter m3h1nd3r

    (@m3h1nd3r)

    Hi @takayukister , any update here? Any chance you could provide a filter for us to communicate the CSP nonce to CF7 for your inline scripts? Thank you very much!

    Hey,

    Any update on this? It would be nice to see a feature to set different nonce for the script and the styling that is automatically applied to the form.

    Thanks!

    Thread Starter m3h1nd3r

    (@m3h1nd3r)

    Also a +1 from me! We are still waiting on a reply by @takayukister and are still very interested in a solution for this issue. Thanks in advance!

    Thread Starter m3h1nd3r

    (@m3h1nd3r)

    Hi @takayukister any update on this issue? Thank you!

    bgdteam

    (@bgdteam)

    Hi Guys,

    just wanted to catch up on this. Looks like this thread has been going on for the best part of a year or more. It’s a shame we don’t seem to have had any progression on things.

    We recently inherited a client and have successfully implemented a CSP without any issues aside from CF7, we’re looking into other form providers like gravity forms as an alternative currently.

    Fingers crossed some progress is made soon.

    Thread Starter m3h1nd3r

    (@m3h1nd3r)

    Hi @bgdteam , +1 from my side and thanks for catching up. We would also still be very happy if @takayukister could give an update on this topic and if there would be any solution foreseeable to communicate the CSP nonce to CF7.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Contact Form 7 and CSP / Content Security Policy’ is closed to new replies.