ghost444

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)
  • Forum: Themes and Templates
    In reply to: [Author] Inline script improve
    Thread Starter ghost444

    (@ghost444)

    9 years, 10 months ago

    I’m quite confused with “break for any site that does not support CSP”. A site which is using CSP has a stricter rule than the others, and there is no more difference. I think that if the site worked with CSP, it wouldn’t fail without CSP.

    You are right. It’s hard to find a way that allows dynamic styling without adding inline CSS. Maybe I will just ignore this by adding unsafe-inline to CSP.

    Thanks for your attention.

    Forum: Themes and Templates
    In reply to: [Author] Inline script improve
    Thread Starter ghost444

    (@ghost444)

    9 years, 10 months ago

    I am sorry that I may described it in a wrong way.

    The CSP-Header is set by me. The Gravatar and Google fonts have been trusted, the issues are inline styles and scripts like the screenshot of Chrome’s console below. It’s too much to add each hash of them in the header, which is included at every time the server respond a request:

    <img src=”https://img.vim-cn.com/17/d5fb342f01715226c779e22cc4febde3e135f8.png&#8221; />

    For example, a javascript at [https://ghostblog.info/tem/wordpress/wp-content/themes/author/js/build/production.min.js?ver=4.5.3] is trying to add an inline style, which has been denied.

    <img src =”https://img.vim-cn.com/01/3ecadaa6530bc30e96260a55c9f8b8b132a959.png&#8221; />

    Forum: Themes and Templates
    In reply to: [Author] Inline script improve
    Thread Starter ghost444

    (@ghost444)

    9 years, 10 months ago

    Thanks for replying.

    I have tried to create a new site without any plugins or settings — just finished installation guide and enabled Author. And there still has some CSP errors on console.

    My CSP-Header:

    default-src 'self'; script-src 'self' 'sha256-vP1LFpvG7zi1Cicxc8WNMvMtag9RnYm7kb7deRdLEHQ=' ; img-src 'self' https://secure.gravatar.com; style-src 'self' https://fonts.googleapis.com/css 'sha256-OyKg6OHgnmapAcgq002yGA58wB21FOR7EcTwPWSs54E='; font-src 'self' https://fonts.gstatic.com

    (The hash is for CSS which you said, to enable emoji support)

    The site link for your reference: [https://ghostblog.info/tem/wordpress/]

    Forum: Themes and Templates
    In reply to: [Author] Unable to Pingback/Traceback
    Thread Starter ghost444

    (@ghost444)

    10 years ago

    The problem was verification code…

Viewing 4 replies - 1 through 4 (of 4 total)