@julian said in content security policy:
@teh_g Thanks for posting!
Security of client-side assets is definitely something we're planning on implementing, CSP included.
However there is a trade-off with our current setup (which is more open, and allows plugins to pull scripts as necessary via script tag injection, etc), to one with CSP enabled, in which case some plugins may run into situations where functionality no longer works.
At this point I am not entirely certain what kinds of plugins may be affected, but it is a consideration going forward...
So far, I managed to use the report only header to at least get something in place. With a few additions for my iframely setup, I was able to get my forums and admin panel to not report any potential blocks using this CSP:
add_header Content-Security-Policy-Report-Only "default-src 'self'; connect-src 'self' wss: https://api.github.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://iframely.gamingexodus.com https://storage.googleapis.com https://checkout.stripe.com; img-src 'self' data: https://i.imgur.com https://www.gravatar.com https://gamingexodus.com https://www.gamingexodus.com https://static-cdn.jtvnw.net; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://fonts.googleapis.com; font-src 'self' https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; child-src https://iframely.gamingexodus.com; object-src 'none'";
Some comments around a few ones and where they may apply:
- Any of the
gamingexodus.com ones are exclusively for me, since these are for my domain
- Due to how I setup my forum, I had to add the www and
gamingexodus.com versions to load some images properly. I think this is just due to how
'self' is defined
- This one was weird, it showed up on the admin page, must come from one of the plugins I have?
- Not sure what requires this
- Not a huge fan of this one, but it looks like the ACP needs it for checking the latest version
- Unique to the Twitch monitor plugin