avoid data uri’s for frame-src

  • Resolved JohnRDOrazio

    (@lwangaman)


    6 years, 1 month ago

    I have been tightening up security on my websites, and have set HSTS headers which allow for jetpack.wordpress.com and widgets.wp.com for frame-src attributes. However I recently started getting an error:

    Refused to frame '' because it violates the following Content Security Policy directive: "frame-src https: jetpack.wordpress.com widgets.wp.com".

    Upon inspection, I see that jetpack is using an image data uri for the “like” iframe. Would it be possible to avoid using data uri’s as src of iframes? Perhaps just install the image locally and use the local file as frame-src (I’m guessing this is for lazy loading, until the actual source of the iframe is loaded from jetpack.wordpress.com).

    • This topic was modified 6 years, 1 month ago by JohnRDOrazio.
Viewing 1 replies (of 1 total)
  • Plugin Support KokkieH

    (@kokkieh)

    6 years, 1 month ago

    Hi there,

    Where exactly are you seeing data URIs? Inspecting the Like iframe in my browser I only see regular URLs for the different src attributes.

    In any case, this sounds like a question for our developers, more than a support issue, so would you perhaps consider filing a GitHub issue instead where you can provide more details on this?

    https://github.com/Automattic/jetpack/issues

    If you have an idea on how to make this change you’re also more than welcome to start your own pull request with a proposed fix.

Viewing 1 replies (of 1 total)

The topic ‘avoid data uri’s for frame-src’ is closed to new replies.