dynamic inline script, hashes, and CSP unsafe-inline

  • Resolved Ambyomoron

    (@josiah-s-carberry)


    3 years, 7 months ago

    Wordfence writes an inline event handler javascript in the header of the page. The script ends with:

    (‘//mysite.com/?wordfence_lh=1&hid=A49E4F44F688F7A6996859429437F777’);

    where the value of hid is generated dynamically, changing every time the page is displayed.

    I am attempting to implement a Content Security Policy for my site in which it is not necessary to use the “unsafe-inline” directive. But to do this, I must either include hashes of all inline scripts or a nonce. I see no way to use nonces, but it is impossible to use hashes, too, if the script itself changes dynamically.

    So, my question is whether it is really necessary to include that dynamic hid in the script? Or, can you suggest a way to avoid the potential security issue of using “unsafe-inline”? As far as I can see, the only real solution (assuming I want to continue to use Wordfence) is to change the code in the plugin to do want you want to do without dynamic, inline scripts.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @josiah-s-carberry,

    The dynamic hid is necessary to match-up AJAX requests with the initial request that loaded the page.

    To stop the script from loading entirely, you can set the Traffic Logging Mode to SECURITY ONLY on the Wordfence > Live Traffic page. This is now the default state in the plugin with new installations.

    If you’d like a workaround to only remove the script while still logging all hits, you could remove the action, wordfence::wfLogHumanHeader from the wp_head and login_head hooks in WordPress.

    There is some development scheduled around CSP involving this script and others, but I am unable to commit to delivery dates on the forums at this stage. I hope the above information can help you out.

    Thanks,

    Peter.

    Thread Starter Ambyomoron

    (@josiah-s-carberry)

    Thanks for that. I changed the traffic logging mode and that resolves the issue for me.
    I presume you will be using in the future the new WP functions that can insert a nonce in an inline script and send the pertinent response header to allow that script. I look forward to it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘dynamic inline script, hashes, and CSP unsafe-inline’ is closed to new replies.