WordPress 4.9 post editor issue with Content Security Policy

  • commando

    (@commando)


    7 years ago

    I’ve just upgraded to WordPress 4.9. When I have the following line in my Nginx web server configuration the post editor doesn’t load properly – it’s a tiny box with no tools / gui. When I disable this line everything works perfectly.

    Screenshot: https://imgur.com/a/AkqHQ

    add_header Content-Security-Policy “default-src ‘self’ https://www.google-analytics.com ajax.googleapis.com https://www.google.com google.com gstatic.com https://www.gstatic.com connect.facebook.net facebook.com;”;

    My understanding is this line only allows connections to those specified domains. Does the new editor contact a new domain to load some kind of resources?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Are there any errors in the browser console? If it was cross-origin related you should see an error there.

    Thread Starter commando

    (@commando)

    Yes, you’re right, there were ?? It’s definitely CSP related, but I’m not sure what the solution is.

    Before with the CSP I had I got these errors

    WordPress 4.9 CSP Problems

    I change the CSP as below, and I don’t get the errors in the console any more, but it doesn’t work either.

    The problem seems to be loading / executing “data:” type elements in the page. Anyone know how to fix this?

    For now I’ll just turn CSP off, since it’s non-essential. When I have time I’ll learn more about CSP but if anyone has a quick fix that preserves some of the security I’d appreciate it.

    add_header Content-Security-Policy “default-src ‘self’ data: blob: filesystem: https://www.google-analytics.com ajax.googleapis.com https://www.google.com google.com gstatic.com https://www.gstatic.com connect.facebook.net facebook.com secure.gravatar.com;”;

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress 4.9 post editor issue with Content Security Policy’ is closed to new replies.