inline script violates Content Security Policy Directive

  • Resolved haddlyapis

    (@haddlyapis)


    5 years, 7 months ago

    Hi there,
    firstly, thx for making such a great plugin!
    Due to new GDPR guidelines certain inline scripts are no longer allowed and must be either added to external files or removed.
    The following error has been thrown while analysing my site:
    [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' fonts.googleapis.com maxcdn.bootstrapcdn.com fonts.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-nW9BO1zcJKNZj0R02xvvhnfdGRH2lKj/rpfS1P5VgEU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
    which relates to the following inline script:
    <script type='text/javascript' id='wordfenceAJAXjs-js-extra'>
    Could you please advise here on what to do?
    thx

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    5 years, 7 months ago

    Hi @haddlyapis, thanks for seeking our advice on this.

    Which new GDPR guideline in particular are you referring to? If you have a link or text paragraph from the directives, it would help us assess whether we need to make an update to the plugin itself to ensure compliancy going forwards.

    As you currently only have default-src set it’s falling back on that policy, so you could include a script-src to specifically address this issue with ‘unsafe-inline’ as suggested in the analysis you provided:

    
Header always set Content-Security-Policy: "script-src https://my-site.com https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline' 'unsafe-eval' data:"

    If you wish to avoid producing that script specifically, you could turn off the options under Wordfence > All Options > Whitelisted URLs > Monitor background requests from an administrator’s web browser on the front end and/or admin pages.

    Thanks,

    Peter.

    Thread Starter haddlyapis

    (@haddlyapis)

    5 years, 6 months ago

    Hi there,
    so, to be more specific, this is more an issue with CSP Cross site scripting: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and the errors that have been thrown above are via the site https://webbkoll.dataskydd.net/

    Plugin Support wfpeter

    (@wfpeter)

    5 years, 6 months ago

    Hi @haddlyapis,

    Wordfence uses an inline script to call a script on the page itself, is not running it externally, and is not using it in a manner that is inappropriate for the level of risk – which is stated in the GDPR Article 32 guideline.

    GDPR does not state that inline scripts violate privacy laws, although it does recommend server settings such as your Content-Security-Policy to set a level of security appropriate to the “risk”. If you consider the 3rd party site scan to have shown a violation of GDPR on your site, please contact the 3rd party tool and/or your legal counsel to determine if the site is in fact violating GDPR law.

    We are not able to ultimately decide this for you as our view is that we are using inline scripts within GDPR guidelines.

    Thanks again,

    Peter.

    Thread Starter haddlyapis

    (@haddlyapis)

    5 years, 6 months ago

    Hi there Peter,

    thank you for your diligence and researching this topic in more depth. I will pass this information back to our GDPR consultant.

    But for the “hardliners”, is there any discussion on making these inline scripts more secure by adding either nonces or hashes.
    Here is a good article on how they stop cross site scripting.
    https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
    regards
    Daniel.

    • This reply was modified 5 years, 6 months ago by haddlyapis.
    Thread Starter haddlyapis

    (@haddlyapis)

    5 years, 6 months ago

    Also, I have just realised that this is only a scripting issue for the admin of the site, not for users. (<script type='text/javascript' id='wordfenceAJAXjs-js-extra'>)
    If someone gets access to my Admin, then i have more worrisome things to think about than XXS. cheers.

    Plugin Support wfpeter

    (@wfpeter)

    5 years, 6 months ago

    Hi @haddlyapis, glad we could be of assistance.

    We have development suggestion channels and I have put nonce/hash addition to Wordfence scripts forward. I cannot comment here on potential timescales going forward, but legitimate use-cases like yours will certainly be taken seriously in our discussions.

    Thanks again,

    Peter.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘inline script violates Content Security Policy Directive’ is closed to new replies.