Disable security headers for admin pages

Hello @brokul

I am sorry about the issue you are experiencing with CSP and I am happy to assist you with this.
Unfortunately, there is no way to disable CSP for logged in users.
Can you please share more information on how CSP is breaking admin pages as this is the first time this kind of issue is reported?
Thanks!

Hello @vmarko !
Thank you for answer. I try to keep as strict CSP policy as possible and among others I set:
connect: ‘self’
font-src: ‘self’
script-src: ‘self’ ‘unsafe-inline’
style-src: ‘self’ ‘unsafe-inline’
frame-src: ‘self’
frame-ancestors: ‘self’
img-src: ‘self’

As you can see for scripts and styles I have ‘unsafe-inline’ but unfortunately WordPress and plugins uses inline scripts/styles a lot. I haven’t found good solution for that yet.

It looks like with this policy:
-add/edit posts doesn’t work at all (it requires unsafe-eval within script-src),
-plugin page does not show plugins’ images and development console contains errors,
-there are JS errors in console on other pages and a lot of failed requests (for assets mainly).

• This reply was modified 3 years, 9 months ago by brokul.

Hello @brokul

Thank you for the information.
As I understand the issue you are experiencing, it is not possible to disable CSP for logged in users.
The only option is to disable it while logged in and re-enable it after.
Thanks!