CSP blob: WordPress

  • Resolved Skrlance

    (@seanlance)


    9 months, 1 week ago

    Does latest version of WordPress by default requires:

    worker-src ‘self’ blob:

    to be permitted on Content Security Policy?

    Previously, my content security policy was:

    Content-Security-Policy “default-src ‘self’ https: data: ‘unsafe-inline’ ‘unsafe-eval'”

    Now, I have to keep the following on my web server to remove error at WordPress Admin shown on the browser console:

    Content-Security-Policy “default-src ‘self’ https: data: ‘unsafe-inline’ ‘unsafe-eval’; worker-src ‘self’ blob:”

    The error on the browser console says:

    wp-admin/:84 Refused to create a worker from 'blob:https://mydomain.com/51238748-89eb-4184-9aaa-4d53bfb5e2ca' because it violates the following Content Security Policy directive: "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.

    I have confirmed that this error has appeared from WordPress core itself by deactivating all the plugins and switching to Twenty Twenty-Five theme.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator threadi

    (@threadi)

    9 months, 1 week ago

    No, WordPress does not provide anything like that. worker-src does not even exist in the WordPress core: https://github.com/search?q=repo%3AWordPress%2FWordPress%20worker-src&type=code

    I would guess that your server is setting this parameter. Contact your host’s support team to clarify this. Alternatively, you can test it by moving the project 1:1 to a completely different host and seeing what is set there.

    Thread Starter Skrlance

    (@seanlance)

    9 months, 1 week ago

    Yes I know worker-src doesn’t exists in WordPress, it exists in Content Security Policy header configured on my server that I manage by myself.

    Can anyone knowledgeable reply?

    Thread Starter Skrlance

    (@seanlance)

    9 months, 1 week ago

    Lets close this topic here

    • This reply was modified 9 months, 1 week ago by Skrlance.
    letmein2025

    (@letmein2025)

    8 months, 3 weeks ago

    @seanlance yeah, I’m with you here. This has been happening very recently and I don’t exactly understand what it’s trying to load here. I’m not sure if this is an unsecure configuration either.

    Thread Starter Skrlance

    (@seanlance)

    8 months, 3 weeks ago

    I got to know that in WordPress, particularly within the Block Editor (Gutenberg), Blob URLs are utilized to handle and display client-side data, primarily for temporary or in-memory resources. They are not used for persistent storage or traditional file serving from the server.

    I would have talked more about this if guy like threadi hadn’t made me upset. He posted the reply without even reading what I am asking in my question, and he shouldn’t have made that reply because he don’t have any idea about it.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘CSP blob: WordPress’ is closed to new replies.

Tags