Tick icon loading from external

Are you sure you are submitting this ticket for the correct plugin? This code does not exist anywhere in No Nonsense. No Nonsense does not use any tick icon images.

Wherever this code is from though, what I see in this sample code you pasted in is encoded SVG/XML data. It’s not loading anything from w3.org; that’s just the value inside the xmlns (XML namespace) attribute of the <svg> tag. The entirety of the image would be right there in that code, not loading any extra assets at all.

That’s what the browsers console shows me when e.g. I want to tick the “also kill any incoming XML-RPC request” checkbox. Read: the message that this specific element has been refused to load because of content security politicy appears in the console the exact moment when I click there checkbox and will be displayed every time I reload the site until I uncheck the box. So this error message can only be triggered by this plugin

I did a bit more checking, and that code is in WordPress core. It does appear that WordPress uses it to generate custom-designed checkboxes for the admin pages, so it’s probably getting loaded on the No Nonsense page as a result. But as this is a standard part of the WordPress platform itself, it’s not something I have any control over.

I see. Interesting, thanks

this seems to be a very common problem for a few weeks now. The solution is to add data: to the whitelist of the image-src content security policy

Thanks for the follow up! This would be useful to share in a more general way (or should I say “place”) for any WordPress users who are managing a content security policy. I’m not quite sure where that would be, but perhaps here.