Blocked by Content Security Policy
-
Appearance > Customize shows following error on all themes (including 2017).
Firefox:
Blocked by Content Security Policy
Chrome:
Chrome shows blank page but under developer tools Network tab, the request status:(blocked:devtools)
I’ve tested on fresh WP 4.6.1 with Twenty Sixteen and some others, working fine, no errors.
- This topic was modified 8 years, 1 month ago by rahilwazir.
-
Hello @rahilwazir, thanks for the report.
Could you provide some information about your setup? You get this error with the WordPress 4.7 beta 1? What’s the URL of your site? Does it include a port number?
Hey @ocean90,
I’m testing it on my local machine, here is my setup:
- OS: Ubuntu 16.10
- Server: NGINX 1.11.5
- PHP: 7.0.9-1
- WP: 4.7 beta 1
- URL: http://local.wp_beta.com (it’s vhost on my local, not public)
- Port: N/A (default 80)
I’ll investigate.
Do you have any plugins activated? Can you grab the HTTP response headers from the iframe preview request and share?
Hi @westonruter,
No I don’t have any plugins except “WordPress Beta Tester”, I also tried with disabling it but no luck.
Here are the response headers when visiting
wp-admin/customize.php
:HTTP/1.1 200 OK Server: nginx/1.11.5 Date: Sat, 29 Oct 2016 12:44:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Robots: noindex, nofollow, noarchive Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: ALLOW-FROM http://local.wp_beta.com/wp-admin/customize.php Content-Security-Policy: frame-ancestors http://local.wp_beta.com Link: <http://local.wp_beta.com/wp-json/>; rel="https://api.w.org/" Link: <http://local.wp_beta.com/>; rel=shortlink Content-Encoding: gzip
Chrome devtool console outputs:
Refused to display 'http://local.wp_beta.com/?customize_changeset_uuid=5268f754-0989-404b-9cb6-β¦2551&customize_theme=twentyseventeen&customize_messenger_channel=preview-0' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors http://local.wp_beta.com". The source list for Content Security Policy directive 'frame-ancestors' contains an invalid source: 'http://local.wp_beta.com'. It will be ignored.
- This reply was modified 8 years, 1 month ago by rahilwazir.
- This reply was modified 8 years, 1 month ago by rahilwazir.
- This reply was modified 8 years, 1 month ago by rahilwazir.
That’s really strange. And you’re accessing the customizer via
http://local.wp_beta.com/wp-admin/customize.php
in your browser?The response header looks right:
Content-Security-Policy: frame-ancestors http://local.wp_beta.com
Firefox is loading the iframe as expected for me with the following response headers (served via Nginx on VVV):
Cache-Control: no-cache, must-revalidate, max-age=0
Connection: keep-alive
Content-Security-Policy: frame-ancestors http://src.wordpress-develop.dev
Content-Type: text/html; charset=UTF-8
Date: Sat, 29 Oct 2016 17:40:25 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Link: <http://src.wordpress-develop.dev/wp-json/>; rel="https://api.w.org/", <http://src.wordpress-develop.dev/>; rel=shortlink
Server: nginx
Transfer-Encoding: chunked
X-Frame-Options: ALLOW-FROM http://src.wordpress-develop.dev/wp-admin/customize.php
X-Robots: noindex, nofollow, noarchiveAnd I’m accessing the customizer via
http://src.wordpress-develop.dev/wp-admin/customize.php
.I am only able to get Firefox to display the same CSP error message if I change the
Content-Security-Policy
header to send back a different domain, likeframe-ancestors http://example.com
.Does the iframe load as expected when you comment-out the following line in
\WP_Customize_Manager::filter_iframe_security_headers()
inclass-wp-customize-manager.php
?$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
I’m testing this in Firefox 49.0.2. Which version are you testing with?
Any support you can provide with troubleshooting the reason as to why your Firefox is failing the CSP would be extremely appreciated since I cannot reproduce the issue, and the issue is unique to your environment as far as I know.
- This reply was modified 8 years, 1 month ago by Weston Ruter.
Yes I also tried
http://local.wp_beta.com/wp-admin/customize.php
without query parameters.Following is my Firefox v49.0 headers (also tested with nightly 52.0a1):
Cache-Control: no-cache, must-revalidate, max-age=0 Connection: keep-alive Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Sun, 30 Oct 2016 09:55:34 GMT Expires: Wed, 11 Jan 1984 05:00:00 GMT Server: nginx/1.11.5 Transfer-Encoding: chunked X-Frame-Options: SAMEORIGIN
Does the iframe load as expected when you comment-out the following line
Yes, commenting out the following line, renders the page correctly both with Chrome and Firefox
$headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url );
I have tested with Chrome 56.0.2902.0 dev (64-bit), Firefox stable(49.0)/nightly(52.0a1)
Any support you can provide with troubleshooting the reason as to why your Firefox is failing the CSP
I have no idea, it’s not working on any browsers (not just Firefox).
Worth to note that other WP environments (v4.6.1) with same vhost configurations are working fine.I’ll see what I can find, will surely update you.
- This reply was modified 8 years, 1 month ago by rahilwazir.
Thank you. As a fallback if we can’t figure out why Firefox is rejecting the iframe request, then the CSP header could be overridden to be removed entirely. I originally included it to override any other plugins that may have added the header to prevent their site from being iframed. But instead of specifying
frame-ancestors
as its value, the entire header could be removed instead if we also then include a preview nonce among the customized state query params. Nevertheless, if we can figure out why Firefox is rejecting it that would be best.I’ve opened a Trac ticket for this for better tracking. We continue there instead: https://core.trac.wordpress.org/ticket/38571
We mark posts that have trac tickets as resolved for sanity. It lets mods and volunteers know we don’t have to jump in and find an issue. You should follow the discussion on trac. You can click the ‘Watch’ button on the trac ticket (it’s near the bottom) to get email alerts. If you need to log in, it’s the same ID/password as you use for the forums.
Adding this line to root .htaccess file solved it for me:
Header set Content-Security-Policy: "frame-ancestors 'self'"
Not sure about the implications of this, so use in dev only.
Didn’t want to resurrect this topic, I ran into this issue and spent right around 7-8 hours trying to diagnose this. Tried websevendevs solution, Caused Apache2 to generate errors and return a Error 500 on any page.
Here is what I found out and did:
– The headers module was not enabled. I had to enable this module by typing:sudo a2enmod headers.load
thensudo service apache2 restart
– I went into
/etc/apache2/conf-available/security.conf
and then added the line websevendev mentioned.Header set Content-Security-Policy: "frame-ancestors 'self'"
Now it’s fixed for all of my WordPress VirtualHosts. I am actually surprised that Apache doesn’t set this as default because it does set
script-src
toself
andobject-src
toself
. I don’t see any implications of this setting so far.- This reply was modified 7 years, 6 months ago by brekmister. Reason: Made it easier to read
- This reply was modified 7 years, 6 months ago by brekmister. Reason: Specified path for security.conf
This is not the same issue. I’m closing this out of date post, since it’s specific to Alpha/Beta.
- The topic ‘Blocked by Content Security Policy’ is closed to new replies.