Title: Additional Characters Last modified: November 12, 2025 --- # Additional Characters * Resolved [blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/) * (@blueskywebdesign) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/) * Hello. Hope you are well. I have been using your plugin for some time now. Thanks. * In this latest updated I noticed that the plugin added addtional characters to some of the policies, specifically ‘self’, ‘none’ ‘unsafe-inline’ and ‘unsafe- eval’. See below. * PLUGIN Contributors: unicorn03, unicorn07, erku, alexclassroom,Donate link: [https://www.buymeacoffee.com/tentacleplugins](https://www.buymeacoffee.com/tentacleplugins) Tags: headers security, hsts, headers, clickjacking, cspRequires at least: 4.7Tested up to: 6.8.1Stable tag: 5.1.1 * MY CSP * report-to endpoint; upgrade-insecure-requests;frame-ancestors ‘self’;object-src‘ none’;worker-src ‘self’ blob:;child-src ‘self’ blob:;font-src ‘self’ data: [https://*.gstatic.com](https://*.gstatic.com); img-src ‘self’ data: [https://*.gravatar.com](https://*.gravatar.com) [https://*.w.org](https://*.w.org) [https://*.elegantthemes.com](https://*.elegantthemes.com);default-src ‘self’; media-src ‘self’;form-action ‘self’;style-src ‘self’ ‘unsafe-inline’ [https://*.googleapis.com](https://*.googleapis.com); frame-src ‘self’ [https://*.google.com](https://*.google.com); connect-src ‘self’ [https://*.elegantthemes.com](https://*.elegantthemes.com) [https://*.digitaloceanspaces.com](https://*.digitaloceanspaces.com) [https://cloudflareinsights.com](https://cloudflareinsights.com);script-src ‘ self’ ‘unsafe-inline’ ‘unsafe-eval’ [https://*.google.com](https://*.google.com) [https://*.gstatic.com](https://*.gstatic.com) [https://*.cloudflareinsights.com](https://*.cloudflareinsights.com); * My .htaccess file * BEGIN Headers Security Advanced & HSTS WP 5.1.1 * Header set Access-Control-Allow-Methods “GET,POST”Header set Access-Control- Allow-Headers “Content-Type, Authorization”Header set Content-Security-Policy“ report-to endpoint; upgrade-insecure-requests; object-src **\’none\’**; worker- src **\’self\’** blob:; child-src \’self\’ blob:; font-src \’self\’ data: https://_. gstatic.com; img-src \’self\’ data: https://_.gravatar.com https://_.w.org https://_. elegantthemes.com; default-src \’self\’; media-src \’self\’; form-action \’self\’; style-src \’self\’ \’unsafe-inline\’ https://_.googleapis.com; frame-src \’self\’ https://_.google.com; connect-src \’self\’ https://_.elegantthemes.com https://_. digitaloceanspaces.com [https://cloudflareinsights.com](https://cloudflareinsights.com); script-src **\’self\’ \’unsafe-inline\’ \’unsafe-eval\’ **https://_.google.com https://_.gstatic.com [https://*.cloudflareinsights.com;”](https://*.cloudflareinsights.com;”); Header set Cross-Origin-Embedder-Policy “unsafe-none; report-to=\’default\'” * On a test site, I removed the plugin (via ssh), rebuilt the .htaccess file to the wordpress defaults. I logged in to the site, downloaded a fresh copy of your plugin and the problem returned once I activated the plugin. The only way to solve it was to manually edit the .htaccess file and make the appropiate “delete” of the addtional character. * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fadditional-characters%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18717819) * Hi **[@blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/),** * Thank you for this thread and for using the plugin for so long. My name is Andrea and I will help you resolve your issue as quickly as possible. * Last night I updated the plugin to **the latest version, 5.1.2**, and if you can confirm my understanding of the issue you are experiencing, I will release the update immediately so we can resolve the problem. * **In practice, in the latest version, an escape is performed:** ‘self’ – ‘unsafe- inline’ – ‘unsafe-eval’ – ‘none’ _**(but these values must not perform the escape)**_ * **Input:**  default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ **Output:** default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ * > Single apices NOT escaped * **Permissions-Policy con URL:** Input: microphone=(self “[https://example.com”](https://example.com”);) Output: microphone=(self\”https:_//example.com\”)_  * > Escaped double quotation marks * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18717942) * Hi **[@blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/),** * Thank you for reporting this issue. You were absolutely correct, the plugin was incorrectly escaping single quotes in CSP directives. * **Issue confirmed** The plugin was escaping both double quotes and single quotes, which caused CSP keywords like `'self'`, `'unsafe-inline'`, and `'unsafe-eval'` to be escaped as `\'self\'`, breaking the Content Security Policy functionality.** Fixed in Version 5.1.2**The escaping logic has been corrected to only escape double quotes (needed for Permissions-Policy URLs) while preserving single quotes( required for CSP directive keywords). * **Testing completed** The fix has been thoroughly tested with: - CSP directives: `default-src 'self'; script-src 'self' 'unsafe-inline'` Single quotes preserved (not escaped)  - Permissions-Policy: `microphone=(self "https://exampledomain.com")` Double quotes properly escaped in .htaccess, correctly rendered in browser * **How to updatee** 1. Download or update version 5.1.2 2. Go to Settings → Headers Security Advanced & HSTS WP 3. Click “Save Changes” to regenerate the .htaccess with correct syntax * Your CSP directives with single quotes will now work correctly without being escaped. * I hope I’ve solved your problem and that you enjoyed the support. Thank you for helping improve the plugin! * Thread Starter [blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/) * (@blueskywebdesign) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718011) * Good morning. Fix confirmed. 1. Due to the CSP policy blocking resources (such as style-src and script-src), I found it easier to remove the Headers Security Advanced & HSTP WP entry from the .htaccess file. 2. Once inside WP, I uploaded the updated plugin via the “Plugins > Add Plugin > Upload Plugin>” Upon activation, the site broke again. I was able to scroll down to the “Plugins > Installed Plugins” section and “deactivate” HSTP. The website returned to normal. 3. I then reactivated HSTP, and the plugin installed the default .htaccess setting( upgrade-insecure-requests). 4. I then added my own policy, saved and verified the correct entry to the .htaccess file. * On a secondary website I repeated step 1. On step 2, I deactivated the plugin, then updated the plugin via the “update plugin” option in WP. The HSTP settings reverted to the default settings. * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718256) * Hi [@blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/), * Thank you for your feedback and for bringing up this topic again, as you have helped to improve an unfortunate bug. If you need further support or information, I am available to resolve the issue as quickly and efficiently as possible. * Could you confirm that the problem has been resolved on your other sites as well? Thank you. * I hope I have been of assistance 🙂 * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718301) * Hi [@blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/), * To resolve the latest issue with settings not being retained, I have released a second update that completes version 5.1.3 and should resolve two issues. - keep the settings - have a less restrictive policy for WordPress * thanks for support * Thread Starter [blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/) * (@blueskywebdesign) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718640) * Hi, I see you are busy updating. I got this now in Settings > Headers Security Advanced & HSTS WP * Refused to apply style from ‘[https://domain.com/wp-content/plugins/headers-security-advanced-hsts-wp/assets/css/style-dist.css?ver=5.1.6’](https://domain.com/wp-content/plugins/headers-security-advanced-hsts-wp/assets/css/style-dist.css?ver=5.1.6’); because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.Understand this error load-scripts.php?c= 0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,utils,wp-polyfill&ver=6.8.3:5 * Plugin Author [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * (@unicorn03) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718679) * Hi **[@blueskywebdesign](https://wordpress.org/support/users/blueskywebdesign/),** * I think it’s only a matter of 10 minutes to see style-dist.css correctly. WordPress regenerates the zip file during this time, and you should no longer see the “ Refused to apply style” warning. * I remain available for further feedback. Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Additional Characters’ is closed to new replies. * ![](https://ps.w.org/headers-security-advanced-hsts-wp/assets/icon.svg?rev=3102785) * [Headers Security Advanced & HSTS WP](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/) * [Frequently Asked Questions](https://wordpress.org/plugins/headers-security-advanced-hsts-wp/#faq) * [Support Threads](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/) * [Active Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/unresolved/) * [Reviews](https://wordpress.org/support/plugin/headers-security-advanced-hsts-wp/reviews/) * 7 replies * 2 participants * Last reply from: [Andrea Ferro](https://wordpress.org/support/users/unicorn03/) * Last activity: [6 months, 2 weeks ago](https://wordpress.org/support/topic/additional-characters/#post-18718679) * Status: resolved