CSP – inline/eval issues
-
Purchase the WP Hide Pro plugin. After configuring csp the website received a csp grade “A” at securityheaders.com, however it came with a warning about inline/eval which my theme needs to function view here Also, the theme has some functionality problems with images, and format since configuring csp. am requesting advisement on how to configure csp that safely allows unsafe inline/eval since the WordPress core functionality, plugin compatibility, theme functionality, admin interface, operations Dynamic content handling requires it. Also, the following error message showed when inspected:
This page failed to load a stylesheet from a URL.Affective resources:
3 resources:
staging2.abc12362.sg-host.com/:1
staging2.abc12362.sg-host.com/:0
staging2.abc12362.sg-host.com/:4
and
- Some resources are blocked because their origin is not listed in your site’s Content Security Policy (CSP). Your site’s CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.
A site’s Content Security Policy is set either via an HTTP header (recommended), or via a meta HTML tag.
To fix this issue do one of the following:- (Recommended) If you’re using an allowlist for ‘script-src’, consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS. See how to set a strict CSP.
- Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. ??Never add a source you don’t trust to your site’s CSP. If you don’t trust the source, consider hosting resources on your own site instead.
- Affected Resources
- 7 directives
- Resource
- datablockedstyle-src-elemstaging2.abc12362.sg-host.com/:4https://fonts.googleapis.com/css?family=Raleway%3A300%2C400%2C700%2C800%2C900%7CRoboto%3A400%2C500%2C700%2C900&display=swap&subset=cyrillic%2Cvietnameseblockedstyle-src-elemstaging2.abc12362.sg-host.com/:4https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&display=swapblockedstyle-src-elemstaging2.abc12362.sg-host.com/:4datablockedscript-src-elemstaging2.abc12362.sg-host.com/:0datablockedstyle-src-elemstaging2.abc12362.sg-host.com/:0https://fonts.googleapis.com/css?family=Raleway%3A300%2C400%2C700%2C800%2C900%7CRoboto%3A400%2C500%2C700%2C900&display=swap&subset=cyrillic%2Cvietnameseblockedstyle-src-elemstaging2.abc12362.sg-host.com/:0https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&display=swapblockedstyle-src-elemstaging2.abc12362.sg-host.com/:0?
- Some resources are blocked because their origin is not listed in your site’s Content Security Policy (CSP). Your site’s CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.
- You must be logged in to reply to this topic.
