Content Security Policy

  • Resolved lernerconsulting

    (@lernerconsult)


    4 years, 6 months ago

    What Content Security Policy line needs to be updated to allow reading https://updates.sgvps.net/supported-versions.json ?
    Better, of course, is to include the data at the server, no separate request.

    Even adding updates.sgvps.net to the default-src section of my CSP in .htaccess has no effect on this error. So, I am guessing it would require an ‘unsafe-inline’ in the CSP; defeats the point of using a CSP.

    
Content Security Policy: The page’s settings blocked the loading of a resource at https://updates.sgvps.net/supported-versions.json (“default-src”).

    With this file not getting loaded, the SG Optimizer page shows content briefly then all content in <div id=”sg-optimizer-app”> disappears. 

    
<div id="sg-optimizer-app"></div>

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Stanimir Stoyanov

    (@sstoqnov)

    SiteGround Representative

    Hey @lernerconsult,

    You have Content Security Policy rules in your htaccess, which block the request to our PHP supported versions file.

    Removing those lines fixes the issue.

    Regards,
    Stanimir

    Thread Starter lernerconsulting

    (@lernerconsult)

    Got it Working.

    I couldn’t trace what part of the CSP to modify.

    Put updates.sgvps.net in Each section of the CSP, in public_html/.htaccess and it was blocked.

    Firefox Developer Tools, and the Chromium Inspector, show a CSP for that file that is very different than I usually see; very different than what I had just been editing.

    Found public_html/wp-admin/.htaccess had a CSP, very incomplete, deleted it.

    Now Firefox and Chrome say a normal “connect-src” instead of failing “default-src”.

    Chromium Inspector says Refused to connect to 'https://updates.sgvps.net/supported-versions.json' because it violates the following Content Security Policy directive: connect-src

    Add updates.sgvps.net to the connect-src section and the plugin works as expected.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Content Security Policy’ is closed to new replies.