Hi @farnely,
As far as I know, TinyMCE loads scripts in ways WordPress can’t fully control. These scripts don’t all use WordPress’s normal loading system. Some come directly from WordPress core. Some are added by JavaScript after the page loads. Some are created by TinyMCE itself when it runs.
Because of this, WordPress’s hooks for adding security codes never run for these scripts. Your security code system never sees them. That is why your security rules block exactly three TinyMCE scripts. They are either hard-coded or made when TinyMCE starts working.
Since you cannot use WordPress hooks for scripts loaded this way, you can try a different approach for these special TinyMCE scripts, add your security codes directly to the Content Security Policy header for these specific scripts.
You need to find the exact script sources from your browser’s error messages. Then add these sources to your security policy using ‘unsafe-inline’ or calculate script hashes for each one.
@farnely,
Please note that using ‘unsafe-inline’ is not safe. It turns off your script protection. This lets any script run on your page, even bad ones. Hackers can use this to attack your site.
Finding and using the exact script hash is the safe way. This only allows that one specific script to run. This keeps your protection working while letting TinyMCE work. But you must get the hash exactly right, and it may change if TinyMCE updates.
For your admin area only, using ‘unsafe-inline’ might be okay if all admin users are trusted. For your public site, using hashes is much safer.
@mehrazmorshed
Oddly, I had tried adding the hashes from devtools but they didn’t work. I wondered if perhaps a mixture of hashes and nonces wouldn’t work. I’ve tried it again today and now it works!! I must have made a mistake somewhere in my pasting.
So relieved :-). Many thanks!
