Support » Plugin: Wordfence Security - Firewall & Malware Scan » EvalError: call to Function() blocked by CSP

  • Getting errors in console and some features not working on several WordFence 7.4.7 pages like Firewall, Blocking, All Options, …

    EvalError: call to Function() blocked by CSP ... jquery.tmpl.min.1587658822.js

    Client site had Content Security Policy for scripts set to script-src 'self' 'unsafe-inline' which triggers the errors.

    Can this be fixed in WordFence?

    Client is not really happy with having to add unsafe-eval to his CSP for scripts to make WordFence work, renders the CSP pretty useless.

    Thanks for great plugin.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hey @ov3rfly,

    Can you please switch the Wordfence Firewall into Learning Mode and let me know if it helps?

    https://www.wordfence.com/help/firewall/learning-mode/

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter Ov3rfly

    (@ov3rfly)

    Firewall is off.

    Opening WordFence pages in backend triggers the error.

    Example for .htaccess for this specific error:

    Header set Content-Security-Policy "script-src 'self' 'unsafe-inline';"
    

    If you use a more strict CSP for everything, a lot more and other errors are triggered.

    Header set Content-Security-Policy "default-src 'self';"
    

    More about CSP e.g. here, currenty WordFence needs a setting of unsafe-eval which allows eval() in js from strings, which renders whole CSP purpose pretty much useless.

    Hey @ov3rfly,

    I did a little more digging on this. We currently have a report filed where the developers are considering how to best handle this. Currently, I don’t have a timeline for you. But I have added a link to this thread so we can update you with any progress. Just so you know, the internal case file number is FB7155.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘EvalError: call to Function() blocked by CSP’ is closed to new replies.