Website Content Security Policy: Allow “Shipping & Tax” Plugin

  • Resolved danrancan

    (@danrancan)


    1 year, 4 months ago

    Hi, I am trying to create a strict Content Security Policy (CSP) in my Nginx configuration, and I want to be sure that any outside sources that the WooCommerce Shipping & Tax plugin uses are included in my policy.

    In my Nginx virtual hosts server block, I am starting off with the following strict Content Security Policy (Header):

    add_header Content-Security-Policy "default-src 'self';

    Is there anything that THIS PLUGIN uses that isn’t included in ‘self’, that would need to be included in a strict content security policy header?

    If so, could you please tell me what else I need to include in my Nginx header (specifying img-src rules, style-src rules, script-src rules, connect-src rules, and any other etc-src etc-src rules to keep a strict CSP while still allowing this plugin to be fully functional? Thanks so much for any help!

    • This topic was modified 1 year, 4 months ago by James Huff. Reason: wikipedia excerpt removed
Viewing 1 replies (of 1 total)
  • Plugin Support Shameem R. a11n

    (@shameemreza)

    Hi @danrancan

    The WooCommerce Shipping & Tax plugin is designed to operate within your WordPress environment and should not require additional external resources. Therefore, the ‘self’ directive in your Content Security Policy should typically be sufficient.

    However, it’s important to note that this plugin does make API calls to WooCommerce services (like woocommerce.com, api.woocommerce.com, and api.wordpress.com) for functionalities such as fetching live shipping rates, tax rates, and tracking data. Therefore, you may need to add these to your ‘connect-src’ rule.

    Here’s an example:

    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://woocommerce.com https://api.woocommerce.com https://api.wordpress.com";

    Additionally, if you’re using any third-party payment gateways, shipping methods, or extensions that load external resources, you’ll need to include them as well. These could be in the form of scripts (script-src), images (img-src), styles (style-src), etc. You’ll need to refer to the documentation of those specific plugins for the exact domains to include.

    Please note that this is a general guidance and may not cover all specific use cases. It is always recommended to thoroughly test your site after applying these changes to ensure everything works as expected.

    Feel free to reach out if you have any more questions or need further assistance. Thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘Website Content Security Policy: Allow “Shipping & Tax” Plugin’ is closed to new replies.