Support » Alpha/Beta/RC » Blocked by Content Security Policy

  • Resolved rahilwazir

    (@rahilwazir)


    Appearance > Customize shows following error on all themes (including 2017).

    Firefox:

    Blocked by Content Security Policy

    Chrome:
    Chrome shows blank page but under developer tools Network tab, the request status:

    (blocked:devtools)

    I’ve tested on fresh WP 4.6.1 with Twenty Sixteen and some others, working fine, no errors.

    • This topic was modified 2 years, 10 months ago by  rahilwazir.
Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Dominik Schilling

    (@ocean90)

    WordPress Core Developer

    Hello @rahilwazir, thanks for the report.

    Could you provide some information about your setup? You get this error with the WordPress 4.7 beta 1? What’s the URL of your site? Does it include a port number?

    Hey @ocean90,

    I’m testing it on my local machine, here is my setup:

    • OS: Ubuntu 16.10
    • Server: NGINX 1.11.5
    • PHP: 7.0.9-1
    • WP: 4.7 beta 1
    • URL: http://local.wp_beta.com (it’s vhost on my local, not public)
    • Port: N/A (default 80)

    I’ll investigate.

    Do you have any plugins activated? Can you grab the HTTP response headers from the iframe preview request and share?

    Hi @westonruter,

    No I don’t have any plugins except “WordPress Beta Tester”, I also tried with disabling it but no luck.

    Here are the response headers when visiting wp-admin/customize.php:

    HTTP/1.1 200 OK
    Server: nginx/1.11.5
    Date: Sat, 29 Oct 2016 12:44:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Robots: noindex, nofollow, noarchive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0
    X-Frame-Options: ALLOW-FROM http://local.wp_beta.com/wp-admin/customize.php
    Content-Security-Policy: frame-ancestors http://local.wp_beta.com
    Link: <http://local.wp_beta.com/wp-json/>; rel="https://api.w.org/"
    Link: <http://local.wp_beta.com/>; rel=shortlink
    Content-Encoding: gzip

    Chrome devtool console outputs:

    Refused to display 'http://local.wp_beta.com/?customize_changeset_uuid=5268f754-0989-404b-9cb6-…2551&customize_theme=twentyseventeen&customize_messenger_channel=preview-0' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://local.wp_beta.com".
    
    The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: 'http://local.wp_beta.com'. It will be ignored.
    • This reply was modified 2 years, 10 months ago by  rahilwazir.
    • This reply was modified 2 years, 10 months ago by  rahilwazir.
    • This reply was modified 2 years, 10 months ago by  rahilwazir.

    That’s really strange. And you’re accessing the customizer via http://local.wp_beta.com/wp-admin/customize.php in your browser?

    The response header looks right:

    Content-Security-Policy: frame-ancestors http://local.wp_beta.com

    Firefox is loading the iframe as expected for me with the following response headers (served via Nginx on VVV):

    Cache-Control: no-cache, must-revalidate, max-age=0
    Connection: keep-alive
    Content-Security-Policy: frame-ancestors http://src.wordpress-develop.dev
    Content-Type: text/html; charset=UTF-8
    Date: Sat, 29 Oct 2016 17:40:25 GMT
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Link: <http://src.wordpress-develop.dev/wp-json/>; rel="https://api.w.org/", <http://src.wordpress-develop.dev/>; rel=shortlink
    Server: nginx
    Transfer-Encoding: chunked
    X-Frame-Options: ALLOW-FROM http://src.wordpress-develop.dev/wp-admin/customize.php
    X-Robots: noindex, nofollow, noarchive

    And I’m accessing the customizer via http://src.wordpress-develop.dev/wp-admin/customize.php.

    I am only able to get Firefox to display the same CSP error message if I change the Content-Security-Policy header to send back a different domain, like frame-ancestors http://example.com.

    Does the iframe load as expected when you comment-out the following line in \WP_Customize_Manager::filter_iframe_security_headers() in class-wp-customize-manager.php?

    $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );

    I’m testing this in Firefox 49.0.2. Which version are you testing with?

    Any support you can provide with troubleshooting the reason as to why your Firefox is failing the CSP would be extremely appreciated since I cannot reproduce the issue, and the issue is unique to your environment as far as I know.

    • This reply was modified 2 years, 10 months ago by  Weston Ruter.

    Yes I also tried http://local.wp_beta.com/wp-admin/customize.php without query parameters.

    Following is my Firefox v49.0 headers (also tested with nightly 52.0a1):

    Cache-Control: no-cache, must-revalidate, max-age=0
    Connection: keep-alive
    Content-Encoding: gzip
    Content-Type: text/html; charset=UTF-8
    Date: Sun, 30 Oct 2016 09:55:34 GMT
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Server: nginx/1.11.5
    Transfer-Encoding: chunked
    X-Frame-Options: SAMEORIGIN

    Does the iframe load as expected when you comment-out the following line

    Yes, commenting out the following line, renders the page correctly both with Chrome and Firefox
    $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );

    I have tested with Chrome 56.0.2902.0 dev (64-bit), Firefox stable(49.0)/nightly(52.0a1)

    Any support you can provide with troubleshooting the reason as to why your Firefox is failing the CSP

    I have no idea, it’s not working on any browsers (not just Firefox).
    Worth to note that other WP environments (v4.6.1) with same vhost configurations are working fine.

    I’ll see what I can find, will surely update you.

    • This reply was modified 2 years, 10 months ago by  rahilwazir.

    Thank you. As a fallback if we can’t figure out why Firefox is rejecting the iframe request, then the CSP header could be overridden to be removed entirely. I originally included it to override any other plugins that may have added the header to prevent their site from being iframed. But instead of specifying frame-ancestors as its value, the entire header could be removed instead if we also then include a preview nonce among the customized state query params. Nevertheless, if we can figure out why Firefox is rejecting it that would be best.

    I’ve opened a Trac ticket for this for better tracking. We continue there instead: https://core.trac.wordpress.org/ticket/38571

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    We mark posts that have trac tickets as resolved for sanity. It lets mods and volunteers know we don’t have to jump in and find an issue. You should follow the discussion on trac. You can click the ‘Watch’ button on the trac ticket (it’s near the bottom) to get email alerts. If you need to log in, it’s the same ID/password as you use for the forums.

    Adding this line to root .htaccess file solved it for me:
    Header set Content-Security-Policy: "frame-ancestors 'self'"

    Not sure about the implications of this, so use in dev only.

    Didn’t want to resurrect this topic, I ran into this issue and spent right around 7-8 hours trying to diagnose this. Tried websevendevs solution, Caused Apache2 to generate errors and return a Error 500 on any page.

    Here is what I found out and did:
    – The headers module was not enabled. I had to enable this module by typing:

    sudo a2enmod headers.load then sudo service apache2 restart

    – I went into /etc/apache2/conf-available/security.conf and then added the line websevendev mentioned.

    Header set Content-Security-Policy: "frame-ancestors 'self'"

    Now it’s fixed for all of my WordPress VirtualHosts. I am actually surprised that Apache doesn’t set this as default because it does set script-src to self and object-src to self. I don’t see any implications of this setting so far.

    • This reply was modified 2 years, 3 months ago by  brekmister. Reason: Made it easier to read
    • This reply was modified 2 years, 3 months ago by  brekmister. Reason: Specified path for security.conf
    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    This is not the same issue. I’m closing this out of date post, since it’s specific to Alpha/Beta.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Blocked by Content Security Policy’ is closed to new replies.