Support » Plugin: Contact Form 7 » CSP and unsafe-inline

  • I tried to understand if it does but I’m not sure: does Contact Form 7 use inline JS? I need to know it because I’m trying not to declare unsafe-inline and unsafe-eval in my website Content security policy.

    • This topic was modified 1 year, 3 months ago by islp.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    If you mean the use of inline script in front-side non-admin pages, only when you use [recaptcha] form-tags in your form it does embed inline JavaScript. Otherwise, no, it doesn’t use them.

    So, I suppose this one is what you mean:

    <script type='text/javascript'>
    /* <![CDATA[ */
    var wpcf7 = {"apiSettings":{"root":"https:\/\/www.example.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"},"recaptcha":{"messages":{"empty":"Please verify that you are not a robot."}}};
    /* ]]> */
    </>

    Is it possible for you to update the plugin so that this script is not inline (or isn’t this even possible?).

    (I’m not embedding anything in this front page, there’s no form at all)

    • This reply was modified 1 year, 3 months ago by islp.
    • This reply was modified 1 year, 3 months ago by islp.
    Plugin Author Takayuki Miyoshi

    (@takayukister)

    Um, I didn’t count it as inline script, sorry. It’s virtually impossible to make it not inline, and I think such decisions are not reasonable.

    Well, this is from Mozilla docs about Content Security Policy:

    ‘unsafe-inline’
    Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.

    I suppose anything contained between <script> and </script> should be considered “inline” (and “unsafe” too), but maybe I’m wrong…

    (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)

    • This reply was modified 1 year, 3 months ago by islp.

    Maybe, this could be solved if that line could live in an external .js file

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘CSP and unsafe-inline’ is closed to new replies.