Plugin fails strict CSP configurations

  • brnatermedia

    (@brnatermedia)


    11 months ago

    The SiteKit plugin requires a less secure Content Security Policy configuration to accommodate its use of new Function throughout its scripts, specifically this one:

    google-site-kit/dist/assets/js/googlesitekit-vendor-e44f66f39f4394756bf1.js

    CSP doesn’t allow the ‘unsafe-eval’ attribute to be scoped per domain or script origin, meaning enabling it globally would weaken the security posture for the entire site. We’re aiming to maintain strong security standards with our site, and at the same time we enjoy the features of your plugin.

    I’d like to request that future versions of the plugin avoid reliance on eval-like functions such as new Function(), allowing the plugin to run without compromising more secure CSP configurations.

    Are there plans in place already for making this update? Will you consider adding this update to a near future update of the plugin?

    Thanks for your time!

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support James Osborne

    (@jamesosborne)

    11 months ago

    Thanks for reaching out @brnatermedia. Given your CSP doesn’t allow for unsafe-eval, I’ll check our use of new Function() and other mechanisms with the team and report back to you here. I may not get back to you today on this, but I will have an update this week.

    Are there plans in place already for making this update? Will you consider adding this update to a near future update of the plugin?

    I can’t be sure but I will also be checking this with the team. Note that the plugin is open source, so you can check for any changes or even submit your own issue over on the below repository:
    https://github.com/google/site-kit-wp

    Thank you.

    Thread Starter brnatermedia

    (@brnatermedia)

    11 months ago

    I very much appreciate you taking the time. Will keep an eye out for your reply.

    Plugin Support James Osborne

    (@jamesosborne)

    10 months, 1 week ago

    Apologies for the late response on this @brnatermedia. Just to make you aware that we created a GitHub issue after discussing your query with the team. Feel free to subscribe to, or chime in on the below:
    https://github.com/google/site-kit-wp/issues/11079

    Thanks for raising this!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Plugin fails strict CSP configurations’ is closed to new replies.