Content Security Policy – breaks WordPress javascript

Home Forums BulletProof Security Pro Content Security Policy – breaks WordPress javascript

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #25463
    Paulin Halenria
    Participant

    Hello,

    I have BPS 11.1 installed and a WP up to date. When BPS is activated + some custom codes, there is no more Javascript working in the WP-Admin (No more Divi Page Builder, no more Yoast SEO, no more WordPress internal revisions tool, nothing with Javascript). It’s the second site with the same problem. For the first one, I deactivated BPS secured htaccess, but it’s a shame for me 🙂 So as this one is only my site, I have more time to investigate. Here is the .htaccess generated file : http://pastebin.com/N2kixXxC I really want to sort this, so I will probably be able to re-activate BPS on the site I shared with a customer.

    Best regards
    Cedric

    #25466
    AITpro Admin
    Keymaster

    @ Paulin Halenria – I do not understand what the problem is.  Please explain in detail what problem is occurring.  When the problem occurred.  What you were doing at the time the problem occurred.  Post any Security Log entries, errors or email notifications.  Also have you done the BPS Pro troubleshooting steps if applicable?

    Are you saying that this custom htaccess code below is causing the problem?  If so, use FTP and delete your root htaccess file.  Then remove that code from BPS Custom Code.

    <IfModule mod_headers.c>
    Header set Content-Security-Policy "script-src 'self' https://www.google.com"
    </IfModule>
    #25473
    Paulin Halenria
    Participant

    It was indeed the source of the problem. But in this case, how to deal with CSP ?
    http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    Sounds important, isn’t it ?

    #25475
    AITpro Admin
    Keymaster

    hmm good question.  Years ago this seemed to be an important topic, but it seems to have faded away to the fringes.  I do not know if that is because it just never caught on or was widely accepted or supported by all Browsers or if there are problems with it or some other reasons I can think of.  The CSP documentation was published in 2012:  http://www.w3.org/TR/2012/CR-CSP-20121115/  There seemed to be some usage for about a year and then it just faded away into obscurity. Not really sure why?

    In any case, the link you posted is for a tutorial in 2012 and the site is not a WordPress website.  Just looking at the basics of what and how CSP does what it does I believe it will break WordPress and is not usable on a WordPress website.  That may be the primary reason it faded away into obscurity since WordPress websites are now somewhere around 24% of the website types used Worldwide.

    #25486
    AITpro Admin
    Keymaster

    A new Topic has been created with this title:  Content Security Policy – breaks WordPress javascript

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.