Content Security Policy breaks WP Data Access

  • dizwell

    (@dizwell)


    4 years, 7 months ago

    Hello Peter,

    Sorry to bother you again.

    I’m trying to implement better security on my website by implementing a Content Security Policy, but when I do so, it appears to stop WP Data Access working!

    I am not red-hot on CSPs at the best of times, but have implemented one as follows:

    default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts

    When I switch that on, the web page displays OK, but the ‘list of composers’ stuff that is meant to display an alphabetical list of composers from a WP Data Access table merely displays the word ‘ComposerName’ twice. It happens on any page, actually, that’s trying to fetch content from a Data Access table.

    Clearly, my CSP instruction to use ‘unsafe-inline, unsafe-eval and http’ script sources is interfering in WP Data Access’s ability to actually fetch data from its table.

    If I delete the Content-Security-Policy entirely, it all works as normal.

    Can you shed any light on what bits of the policy I need to relax to get WPDA working normally, please? I don’t think it’s really a WP Data Access problem, to be fair, so if you declare it’s out-of-scope, that’s fine.

    I’ll leave the broken website up for a while, so you can see it not working. I’ll have to fix it at some point though, so if it all looks perfect if/when you visit, it will be because I’ve reverted the CSP!

    Best wishes,
    Howard

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter dizwell

    (@dizwell)

    4 years, 7 months ago

    Following up: Having done some reading around the subject of CSPs, it seems that they are destined to not work whenever a site uses a lot of Javascript and so on. So, I’ve now implemented the bare minimum:

    default-src https: 'unsafe-inline'

    The effect is not to really have much by way of an *effective* security policy, but it at least keeps WP Data Access (and everything else!) working. And that seems to be quite a common outcome of attempts to implement a CSP, so I’ll live with it!

    So unless you have further insights on the matter, please don’t waste any time looking into this!

    Many thanks for all you do,
    Howard

    Plugin Author Passionate Programmer Peter

    (@peterschulznl)

    4 years, 6 months ago

    Hi Howard,

    Good to hear from you again! And great to see your still using WP Data Access.

    I’m a bit confused about your csp issue. Your response contains hyperlinks, which is inline html, and I though csp would just block inline css and scripts. The inline html could be moved to a column renderer, but that would make the whole thing a lot more complex and lead to more resource usage, without improving security.

    I’m currently out on sick leave. Let me look into this when I feel better. I’ll let you know the outcome.

    Best regards,
    Peter

    Thread Starter dizwell

    (@dizwell)

    4 years, 6 months ago

    Hi Peter: get well and don’t bother looking in to the issue. The problem is me not understanding CSPs, which (as you say) are simply not really ever going to sensibly work with Javascript-heavy websites.

    I’ve now reverted to a fairly minimal default-src https: ‘unsafe-inline’ ‘self’ data:; base-uri ‘self’; frame-ancestors ‘none’; object-src ‘none’;, which is effectively ‘This is a CSP which doesn’t do much, but does at least require code to be executed via https and doesn’t allow the site to be click-jacked in other people’s frames etc’, but *does* count as a CSP of some sort.

    It at least means I now pass the security scanning tests at sites like observatory.mozilla.org with a B+ rating (which is rather better than my starting F fail grade!), but I don’t break my site in the process.

    The fault was mine not really understanding what CSPs did or set out to do. I’m much more informed now, and realise aiming for an A rating with much stricter limits on script sources and so on would be practically impossible without a lot more effort than I’m prepared to throw at a hobby site!

    Anyway: look after yourself and get well soon!

    Best wishes,
    Howard

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Content Security Policy breaks WP Data Access’ is closed to new replies.