‘unsafe-inline’ attribute required, making CSP less secure
-
Hey
I’m on a journey hardening my website, and when implementing a Content Security Policy, I’m forced to use the “unsafe-inline” attribute as a few plugins create inline scripts, DearFlip being one of them. That results in the following warning on https://observatory.mozilla.org/analyze/oldrup.art
Content Security Policy (CSP) implemented unsafely.
This includes ‘unsafe-inline’ or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
The script in question seems to contain the DearFlip global options:
<script data-cfasync="false"> var dFlipLocation = "https://oldrup.art/wp-content/plugins/3d-flipbook-dflip-lite/assets/"; var dFlipWPGlobal = {"text":{"toggleSound":"Turn on\/off Sound","toggleThumbnails":"Toggle Thumbnails","toggleOutline":"Toggle Outline\/Bookmark","previousPage":"Previous Page","nextPage":"Next Page","toggleFullscreen":"Toggle Fullscreen","zoomIn":"Zoom In","zoomOut":"Zoom Out","toggleHelp":"Toggle Help","singlePageMode":"Single Page Mode","doublePageMode":"Double Page Mode","downloadPDFFile":"Download PDF File","gotoFirstPage":"Goto First Page","gotoLastPage":"Goto Last Page","share":"Share","mailSubject":"I wanted you to see this FlipBook","mailBody":"Check out this site {{url}}","loading":"DearFlip: Loading "},"moreControls":"download,pageMode,startPage,endPage,sound","hideControls":"","scrollWheel":"true","backgroundColor":"#777","backgroundImage":"","height":"auto","paddingLeft":"20","paddingRight":"20","controlsPosition":"bottom","duration":800,"soundEnable":"true","enableDownload":"true","enableAnnotation":"false","enableAnalytics":"false","webgl":"true","hard":"none","maxTextureSize":"1600","rangeChunkSize":"524288","zoomRatio":1.5,"stiffness":3,"pageMode":"0","singlePageMode":"0","pageSize":"0","autoPlay":"false","autoPlayDuration":5000,"autoPlayStart":"false","linkTarget":"2","sharePrefix":"dearflip-"};</script>Is there any way, the content of these inline scrips, could be moved to an external file? Could help the transition to a safe CSP and potentially give a slight performance improvement as the file could be cached.
The page I need help with: [log in to see the link]
-
Why the question arose only about the
DearFlipscript? You have a lot of inline scripts on the page:
1. `<!– Matomo –>
<script type=”text/javascript”>
var _paq = window._paq = window._paq || [];_paq.push([‘trackPageView’]);
_paq.push([‘enableLinkTracking’]);
(function() {
var u=”https:// stats.oldrup.dk/”;
_paq.push([‘setTrackerUrl’, u+’matomo.php’]);
_paq.push([‘setSiteId’, ‘2’]);
var d=document, g=d.createElement(‘script’), s=d.getElementsByTagName(‘script’)[0];
g.type=’text/javascript’; g.async=true; g.src=u+’matomo.js’; s.parentNode.insertBefore(g,s);
})();
</script>`2. you mentioned
<script data-cfasync="false"> var dFlipLocation = ...</script>3. `<script type=”text/javascript”>
(function () {
var c = document.body.className;
c = c.replace(/woocommerce-no-js/, ‘woocommerce-js’);
document.body.className = c;
})()
</script>`4. `<script type=’text/javascript’ id=’ct-scripts-js-extra’>
/* <![CDATA[ */
var ct_localizations = {“ajax_url”:”https:\/\/oldrup.art\/wp-admin\/admin-ajax.php”,”nonce”:”cb575b97fe”,”public_url”:”https:\/\/oldrup.art\/wp-content\/themes\/blocksy\/static\/bundle\/”,”rest_url”:”https:\/\/oldrup.art\/wp-json\/”,”search_url”:”https:\/\/oldrup.art\/search\/QUERY_STRING\/”,
…
/* ]]> */
</script>`Yust do use
'nonce-value'token to allow all inline script blocks.
- The topic ‘‘unsafe-inline’ attribute required, making CSP less secure’ is closed to new replies.
