style-src

Resolved fuzzy21
(@fuzzy21)

1 year, 10 months ago

I cannot figure out how to fix this:

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ https: https://cdnjs.cloudflare.com https://script.crazyegg.com ‘nonce-2214f199ebd499f0d215-shortened’ ‘report-sample'”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-d5AXR2g0ALC-shortened’), or a nonce (‘nonce-…’) is required to enable inline execution.

I whitelisted all the urls.

I have nonce enabled on style-src. Is there something else need to do?

This is happening on the default WordPress page of the site. It’s an internal site, so I don’t ahve a url.

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author Giuseppe
(@mociofiletto)

1 year, 10 months ago

I think you should include the 2 domains in your script-src directive from the “base rules” tab and chose nonce for external sources in script-src (the option is in the settings tab)

Thread Starter fuzzy21
(@fuzzy21)

1 year, 10 months ago

I entered the domains and nonce was selected, but still not working. The domain is whitelisted as well. I changed to hash and then back to nonce, but still…

Plugin Author Giuseppe
(@mociofiletto)

1 year, 10 months ago

In your previous message you said that nonce was enabled for style-src and not for script-src. Can you double check it and post a screenshot of your settings?

More, can you post the relevant part of the html with the <script> tags that require those sources?

There could be a problem if those tags are added by another script that uses appendChild() or insertBefore() (I am working on this for next release) but it is impossible to guess it, if I cannot see the page.

Thread Starter fuzzy21
(@fuzzy21)

1 year, 10 months ago

Hopefully you can see those. Settings are both nonce…

Plugin Author Giuseppe
(@mociofiletto)

1 year, 10 months ago

that is not an external script, but an inline one.

Please, enable nonce for inline scripts too (it is another option called inline_scripts_mode ) and it is just beyond SRI options.

Do you know how it is added to the page? It is after the html closing tab, why?

Thread Starter fuzzy21
(@fuzzy21)

1 year, 10 months ago

inline scripts is set to nonce.

It is Query Monitor plugin that is putting it in there.

Thanks,

Plugin Author Giuseppe
(@mociofiletto)

1 year, 10 months ago

@fuzzy21 I’m working on this issue.

The problem is:
no-unsafe-inline (via its mu-plugin) adds a closure to the shutdown action hook with 0 priority (and this is needed to be sure that the closure is executed before wp runs ob_end_flush() on each open output buffer level);

query-monitor adds to the shutdown hook an action to dispatch its output with a priority of 9 https://github.com/johnbillion/query-monitor/blob/2b58634b37b8e7de52d8363c741053f42b7c8079/dispatchers/Html.php#L52

This causes that the action added by query monitor runs after that no-unsafe-inline performs its stuff, and this is why the query-monitor inline scripts are not captured (and cannot be whitelisted).

However, if I simply increase the priority of the no-unsafe-inline closure to something bigger than 9, it will run after that wp default action has run because the wp core adds this action with a priority of 1:

https://github.com/WordPress/wordpress-develop/blob/e3e7fdbf7c3fd9f04871118a16b98f1544e94984/src/wp-includes/default-filters.php#L413

Now I’m testing a solution that will early remove the default wp action when no-unsafe-inline is in place, and then, arise the no-unsafe-inline closure priority to be sure it runs after all others actions added to the shutdown hook.

Please, wait for next release, and thanks for reporting.

Thread Starter fuzzy21
(@fuzzy21)

1 year, 10 months ago

Great, thank you, looking forward to trying it.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘style-src’ is closed to new replies.