CSP is blocking voluntary scripts no matter what

  • Resolved mkvrob

    (@mkvrob)


    1 year, 1 month ago

    Hi,

    I had to turn this plugin off for the website I was testing it on until I can get some answers. The thing is that I have setup Scripts/Images/Frames domains that should be always allowed. That seems to be working fine.

    Then I have filled in domains as google-analytics.com, googletagmanager.com etc. for Statistics and some other in Marketing but even if I accept the Cookies for Statistics/Marketing these get blocked in the Chromium based browsers because of CSP.

    In Firefox it works just fine. The blocking happens only if I refuse the Cookies as it should be. Below you can see my settings:

    I was experimenting with different setups but no luck – in Chromium browsers the Stats/Marketing scripts do always get blocked. Firefox is fine.

    When I tried to put all the domains in “Always allow” it was fine.

    The errors in Chrome look are below. For some reason it keeps mentioning the domains that should be always allowed.

    Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' <URL> <URL> <URL>". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(index):2 Refused to load the script 'https://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com/ https://*.gstatic.com/ https://*.bisnode.cz/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ (index):2
(anonymous) @ (index):3
www.awac.cz/:1 Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=G-41W4G22JCH' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com/ https://*.gstatic.com/ https://*.bisnode.cz/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(index):6 Refused to load the script 'https://www.googletagmanager.com/gtm.js?id=GTM-TB3BLMF' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com/ https://*.gstatic.com/ https://*.bisnode.cz/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ (index):6
(anonymous) @ (index):7
(index):30 Refused to load the script 'https://t.leady.com/sJ11WjoxozNPCbTv/L.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com/ https://*.gstatic.com/ https://*.bisnode.cz/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

(anonymous) @ (index):30
(anonymous) @ (index):30
(index):31 Refused to load the script 'https://ifirmy.cz/pxstats/piwik.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.googleapis.com/ https://*.gstatic.com/ https://*.bisnode.cz/". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

    Any help would be greatly appreciated.

    Thank you!

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Johan Jonk Stenstr?m

    (@jonkastonka)

    Looks right. Do you have a cache plugin that might be interfering with the settings? If so, try to switch it off and see what happens.

    Plugin Author Johan Jonk Stenstr?m

    (@jonkastonka)

    And I guess you’ve accepted everything when you got those errors, otherwise that is the problem.

    Thread Starter mkvrob

    (@mkvrob)

    Hello Johan,

    thanks for getting to me on such short notice. I have done some more testing and it seems like it might be a server/caching issue. I have staged the website on local server and everything was functional even in the Chromium browsers.

    I cannot wrap my head around the fact that it works with Firefox but not Chromium browsers on production server though. This server is WordPress focused build but from time to time it acts funny and there is issue like this with it.

    Looks like I am gonna have to test-run the website on another server to make sure. I will let you know the results…

    Thread Starter mkvrob

    (@mkvrob)

    So I staged the website on another server and it works just fine. You can see here: https://klient.mk-vision.cz/awac/en/

    I am not inserting actual GA/GTM IDs so there are no false statistics but the loading/blocking based on the Cookies settings works fine. Which means there is some kind of issue on the production server.

    I guess we can mark this as solved unles you want to know what was the issue on the server? I will try ask admin to find the issue and fix it.

    Did you find a solution? I’m experiencing something similar.

    Only in Chrome and clones, on whichever page you first come to and accept all cookies, the rules don’t seem to get implemented, and scripts get blocked because they’re not in the ‘Always allow’ category. Curiously, if you go onto another page on the site, the rules work. If you return to the initial page via browser history, the rules are still broken. But if instead of going back via history you click a link for that initial page somewhere on the site, than rules work. Firefox and Safari have no such problem, and I can’t see anything different in Chrome’s console compared to FF…

    You can try it yourself at https://slimbyapriori.global
    It should load a newsletter subscription popup and a FB chat bubble. It won’t, in Chrome, until you do as described above.

    For context, I’m using CloudFlare and their cache, with the cookie exception set as directed, and I have allowed the cookies plugin to execute php in its folders. Disabling the cache makes it work. Are there any specific files that I should exclude from caching for the plugin to work in Chrome?

    • This reply was modified 1 year, 1 month ago by somePaulo. Reason: Added example link
    • This reply was modified 1 year, 1 month ago by somePaulo. Reason: additional info
    Thread Starter mkvrob

    (@mkvrob)

    Hi,

    yeah I was able to solve it by disabling server-side caching (hosting provider had to do that). My guess is that CloudFlare caching might be acting funny on you – try to stage website without it and on different server maybe?

    Good luck!

    Thanks for the update @mkvrob

    This is to do with cache, yes, since only calls to ‘always allowed’ scripts are cached with the page, and when the cookie is set it doesn’t trigger a fresh fetch of the page from the server. I wonder why this is the case only in Chrome…

    Thread Starter mkvrob

    (@mkvrob)

    That is the same question I have. Why does it not work in Chromium based browsers?

    • This reply was modified 1 year, 1 month ago by mkvrob.
    Thread Starter mkvrob

    (@mkvrob)

    I guess we can wrap this up. It was caused by server-side caching.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘CSP is blocking voluntary scripts no matter what’ is closed to new replies.