CSP Compatibility Request – Audio Player Block Pr

  • Resolved Vincent Breton

    (@vbreton)


    8 months, 3 weeks ago

    for security compliance (A+ rating on securityheaders.com), the plugin requires CSP directives that reduce security: – ‘unsafe-inline’ in script-src – ‘unsafe-eval’ in script-src – data: sources [problem with Firefox]

    Would it be possible to make the plugin CSP-strict compatible by: – Using nonces for inline scripts – Avoiding eval() functions – Loading scripts from external files This would help achieve A+ security ratings while keeping full functionality.

    Thank you for your excellent work!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Md Shamim Islam

    (@shamim10)

    8 months, 3 weeks ago

    Hi @vbreton ,

    All the issues you reported have been fixed:

    • Scripts are now fully external (no inline or eval).
    • Audio files use standard URLs (no data: URIs).
    • Event handling and DOM updates are fully React-based.

    The audio player is now CSP-compliant and should work without security warnings.

    Thanks,
    Md. Shamim Islam

    Thread Starter Vincent Breton

    (@vbreton)

    8 months, 3 weeks ago

    While browsing the code of the Audio Player Block Pro extension, I noticed several issues that still pose problems for strict CSP (Content Security Policy) compliance: 🚩 Detected issues new Function() (eval equivalent): found in build/index.js found in freemius/assets/js/pricing/freemius-pricing.js data: URI (forbidden by strict CSP): found in assets/js/fs.js build/admin-dashboard.js build/index.js build/view.js several files in freemius/ So, despite your answer, the plugin still includes: dynamic code generators (new Function()) that require unsafe-eval data: encoded resources that require data: to be allowed in CSPs. Maybe you only patched the free plugin or the update is not yet available in France? Thanks to ypur help

    Plugin Author Md Shamim Islam

    (@shamim10)

    8 months, 2 weeks ago

    Hi @vbreton

    thanks for pointing this out. I’m already working on fixing the CSP issues. Since it needs some careful changes and testing, please allow me a few more days to provide a clean update.

    Plugin Author Md Shamim Islam

    (@shamim10)

    8 months, 2 weeks ago

    Hi @vbreton

    We usually handle subscriptions and licensing through Freemius. Since the CSP-related issues you mentioned (such as new Function() usage and data: URIs) are part of the Freemius SDK itself, the best way to get this resolved would be to report it directly on their official repository: Freemius WordPress SDK. Their team is in the best position to address these issues.

    In the meantime, I’ll also keep an eye on this from my side. Hopefully, a fix will be available soon.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘CSP Compatibility Request – Audio Player Block Pr’ is closed to new replies.