Block editor does not work with Content-Security-Policy enabled

  • Resolved strontium90

    (@strontium90)


    7 years, 2 months ago

    WP 5.1.1:

    I have enabled Content-Security-Policy with parameters “default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src ‘self’; font-src ‘self’; object-src ‘none'”

    With Content-Security-Policy enabled, the block editor does not work:

    “The block editor requires JavaScript. Please enable JavaScript in your browser settings, or try the Classic Editor plugin.”

Viewing 2 replies - 1 through 2 (of 2 total)
  • Gord

    (@alinod)

    7 years, 2 months ago

    You could try script-src 'self' 'unsafe-inline'. It’s less secure, but there’s a lot of WordPress that uses inline Javascript and, in my experience, it won’t work properly without that. It’s still more secure than allowing Javascript to be loaded from anywhere in the world.

    • This reply was modified 7 years, 2 months ago by Gord.
    Plugin Author Dimitar Ivanov

    (@zinoui)

    7 years, 2 months ago

    These two headers will make the block editor to works with CSP

    Header set Access-Control-Allow-Headers "X-WP-Nonce"
Header set Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' http: https:"
Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Block editor does not work with Content-Security-Policy enabled’ is closed to new replies.

Tags