Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP help #452

Open
azrael11 opened this issue Oct 6, 2021 · 6 comments
Open

CSP help #452

azrael11 opened this issue Oct 6, 2021 · 6 comments
Labels
question

Comments

@azrael11
Copy link

azrael11 commented Oct 6, 2021
edited

Hello

I have this header csp in my .htaccess.

Header set Content-Security-Policy "script-src 'unsafe-inline' 'self' http: https://perfecteclass.com.cy; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'self' https://www.perfecteclass.com.cy;"

if i put 'strict-dynamic' in script-src scripts from the my site not loading the same result have the require-trusted-types-for 'script';
So i get B in mozilla observatory.

image

What can i do so i can put 'strict-dynamic' and require-trusted-types-for 'script' and the scripts of the site loading right
so i can get an A from observatory?

Thank you
@floatingatoll
Copy link
Contributor

At a glance, I suspect you would need to remove unsafe-inline and replace http: with https: in your CSP definitions.

@azrael11
Copy link
Author

azrael11 commented Oct 6, 2021

At a glance, I suspect you would need to remove unsafe-inline and replace http: with https: in your CSP definitions.

i do that and the result is not working the scritps.
To give more info the site is a wordpress site with elementor pro

@floatingatoll
Copy link
Contributor

Ah, it's possible that your site or your plugins are incompatible with the most-secure CSP settings, and a higher grade may not be possible.

@azrael11
Copy link
Author

azrael11 commented Oct 6, 2021

Ah, it's possible that your site or your plugins are incompatible with the most-secure CSP settings, and a higher grade may not be possible.

How can i know where is the problem in plugins or in the site?
In developer tools is see only that it cant get the scripts under this policy.

@floatingatoll
Copy link
Contributor

I don't know, sorry. You would have to trace the HTML served up by Wordpress to either Wordpress itself, or to a specific plugin's insertions into that HTML, and find some other way to make it happen.

@azrael11
Copy link
Author

azrael11 commented Oct 6, 2021

I don't know, sorry. You would have to trace the HTML served up by Wordpress to either Wordpress itself, or to a specific plugin's insertions into that HTML, and find some other way to make it happen.

Thank you very much for quick response and for help.
I'll leave this issue open if there anybody knows something more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@floatingatoll @azrael11