-
When I try to set up a CSP (content security policy) on my site, I run into some problems because of FV Player (free).
FV Player seems to require ‘unsafe-inline’ in both the script-src directive and the style-src directive of the CSP. Both of which are undesirable because of cyber security.Do you happen to know a solution in order to avoid ‘unsafe-inline’ in script-src and style-src?
-
-
Hello Stein,
what do you use to setup the CSP headers? It seems no matter if we try to add CSP nonce or CSP hash, we need to add it to the CSP headers.
Doing this is not easy as even core WordPress is struggling to implement what’s needed by CSP:
* Remove inline javascript from WP-Core to allow CSP protection: https://core.trac.wordpress.org/ticket/32067
* Allow using Content-Security-Policy without unsafe-inline: https://core.trac.wordpress.org/ticket/39941Do you have any plugin which puts in different JavaScript code on each page and is passing these CSP requirements?
Thanks,
Martin
Many thanks for answering very quickly, Martin!
I configure the CSP using NinjaFirewall WP+ Edition.
After reading the links you supplied I think there is a big chance I break some other WP core and plugin functionalities when using script-src ‘unsafe-inline’.
I have not tested my other plugins WP core functions enough to know if they properly. I just noticed that FV Player got problems loading the videos.
I guess the best thing for me probably is to wait for WP to become free from inline scripts.
Thank a lot for sheding some light on CSP!
Stein :)
Hello Stein,
removing the inline scripts is not going to be easy, as it’s often something specific to some article. In case of FV Player we do not use any big inline scripts, just the variables to ensure the global configuration variables of FV Player are in place.
Perhaps the wp_localize_script() call which we use will soon support the checksum for CSP. It could work with the CSP nonce as well, but it’s a mystery to me how would that work on cached websites.
Thanks,
Martin
