Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)
  • 1. “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.” is really dangerous because such CSP does not protect against XSS.
    If there is an XSS vulnerability on the web-page, it can be easily exploited for inserting any inline scripts.

    2. An 'unsafe-eval' in the script-src counts as ‘potentially dangerous’, even myaccount.google.com and account.google.com pages use it. But in some conditions 'unsafe-eval' can become very dangerous.
    For example if you allow some public CDN in the script-src, in case of XSS attacker can load AngularJS or VueJS library with symbolic code execution. In this case, the attacker will no longer need to insert inline scripts – he will simply inject HTML markup like:

    <div ng-app ng-csp>{{$eval.constructor('alert(\'XSS\')')()}}</div>

    3. An ‘unsafe-inline’ in the style-src directive is really ‘potentially dangerous’.

    So your CSP:
    default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:; style-src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts

    is not protect against XSS. An ‘unsafe-inline’ allows to inject any inline scripts, and ‘unsafe-eval’ + http: allows to load any framework from public CDN and inject scripts via HTML markup.

    • This reply was modified 3 years, 2 months ago by granty.

    Firefox does not support ‘script-src-elem’ / ‘style-src-elem’ / ‘style-src-attr’ directives. Only Chrome supports these. That’s why Firefox diags in console:
    Content Security Policy: Couldn’t process unknown directive ‘...’
    It’s not an error, just information message.

    Therefore you anyway have to use in the Content Security Policy ‘script-src’ and ‘style-src’ directives. And to full them by hosts/tokens like:

    ‘script-src’ = ‘script-src-elem’ + ‘script-src-attr’
    ‘style-src’ = ‘style-src-elem’ + ‘style-src-attr’

    with removing duplicates and incompatible sources

    • This reply was modified 3 years, 7 months ago by granty.
    • This reply was modified 3 years, 7 months ago by granty.

    Why the question arose only about the DearFlip script? You have a lot of inline scripts on the page:
    1. `<!– Matomo –>
    <script type=”text/javascript”>
    var _paq = window._paq = window._paq || [];

    _paq.push([‘trackPageView’]);
    _paq.push([‘enableLinkTracking’]);
    (function() {
    var u=”https:// stats.oldrup.dk/”;
    _paq.push([‘setTrackerUrl’, u+’matomo.php’]);
    _paq.push([‘setSiteId’, ‘2’]);
    var d=document, g=d.createElement(‘script’), s=d.getElementsByTagName(‘script’)[0];
    g.type=’text/javascript’; g.async=true; g.src=u+’matomo.js’; s.parentNode.insertBefore(g,s);
    })();
    </script>`

    2. you mentioned <script data-cfasync="false"> var dFlipLocation = ...</script>

    3. `<script type=”text/javascript”>
    (function () {
    var c = document.body.className;
    c = c.replace(/woocommerce-no-js/, ‘woocommerce-js’);
    document.body.className = c;
    })()
    </script>`

    4. `<script type=’text/javascript’ id=’ct-scripts-js-extra’>
    /* <![CDATA[ */
    var ct_localizations = {“ajax_url”:”https:\/\/oldrup.art\/wp-admin\/admin-ajax.php”,”nonce”:”cb575b97fe”,”public_url”:”https:\/\/oldrup.art\/wp-content\/themes\/blocksy\/static\/bundle\/”,”rest_url”:”https:\/\/oldrup.art\/wp-json\/”,”search_url”:”https:\/\/oldrup.art\/search\/QUERY_STRING\/”,

    /* ]]> */
    </script>`

    Yust do use 'nonce-value' token to allow all inline script blocks.

    • This reply was modified 3 years, 9 months ago by granty.
    • This reply was modified 3 years, 9 months ago by granty.
    • This reply was modified 3 years, 9 months ago by granty.

    Good question!
    Website visitors are so dismissive of their online privacy that it has become a concern for website developers.

    Moreover, there is a “EU cookie law” you must obtain the explicit consent of the EU visitor for use of cookies.

    Some info presents on Googles web-pages: https://www.cookiechoices.org/intl/en-GB/ https://policies.google.com/technologies/partner-sites?hl=en-GB https://policies.google.com/privacy?gl=en&hl=en-GB

    You can briefly outline the technical part, how cookie gets hooked on the user’s computer and what it is fraught with. And provide a link to privacy policies of Google, Facebook, Twitter, Instagram and the other 40 social buttons (Just Kidding).

    I liked how it’s done here.

    Of course, no one reads such pages, but this information should be on the site just in case. At least out of respect for visitors and their privacy.

    Just checked, there is WP plugins for that (everything has already been invented before us):
    GDPR Cookie Consent (CCPA Ready)
    WP Cookie Notice for GDPR, CCPA & ePrivacy Consent

    • This reply was modified 3 years, 12 months ago by granty.
    • This reply was modified 3 years, 12 months ago by granty.
    • This reply was modified 3 years, 12 months ago by granty.
Viewing 4 replies - 1 through 4 (of 4 total)