Title: inline script violates Content Security Policy Directive
Last modified: October 15, 2020

---

# inline script violates Content Security Policy Directive

 *  Resolved [haddlyapis](https://wordpress.org/support/users/haddlyapis/)
 * (@haddlyapis)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/)
 * Hi there,
    firstly, thx for making such a great plugin! Due to new GDPR guidelines
   certain inline scripts are no longer allowed and must be either added to external
   files or removed. The following error has been thrown while analysing my site:`[
   Report Only] Refused to execute inline script because it violates the following
   Content Security Policy directive: "default-src 'self' fonts.googleapis.com maxcdn.
   bootstrapcdn.com fonts.gstatic.com". Either the 'unsafe-inline' keyword, a hash('
   sha256-nW9BO1zcJKNZj0R02xvvhnfdGRH2lKj/rpfS1P5VgEU='), or a nonce ('nonce-...')
   is required to enable inline execution. Note also that 'script-src' was not explicitly
   set, so 'default-src' is used as a fallback.` which relates to the following 
   inline script: `<script type='text/javascript' id='wordfenceAJAXjs-js-extra'>`
   Could you please advise here on what to do? thx
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Finline-script-violates-content-security-policy-directive%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13542014)
 * Hi [@haddlyapis](https://wordpress.org/support/users/haddlyapis/), thanks for
   seeking our advice on this.
 * Which new GDPR guideline in particular are you referring to? If you have a link
   or text paragraph from the directives, it would help us assess whether we need
   to make an update to the plugin itself to ensure compliancy going forwards.
 * As you currently only have `default-src` set it’s falling back on that policy,
   so you could include a `script-src` to specifically address this issue with ‘
   unsafe-inline’ as suggested in the analysis you provided:
 *     ```
       Header always set Content-Security-Policy: "script-src https://my-site.com https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline' 'unsafe-eval' data:"
       ```
   
 * If you wish to avoid producing that script specifically, you could turn off the
   options under **Wordfence > All Options > Whitelisted URLs > Monitor background
   requests from an administrator’s web browser** on the front end and/or admin 
   pages.
 * Thanks,
 * Peter.
 *  Thread Starter [haddlyapis](https://wordpress.org/support/users/haddlyapis/)
 * (@haddlyapis)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13560869)
 * Hi there,
    so, to be more specific, this is more an issue with CSP Cross site
   scripting: [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
   and the errors that have been thrown above are via the site [https://webbkoll.dataskydd.net/](https://webbkoll.dataskydd.net/)
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13572475)
 * Hi [@haddlyapis](https://wordpress.org/support/users/haddlyapis/),
 * Wordfence uses an inline script to call a script on the page itself, is not running
   it externally, and is not using it in a manner that is inappropriate for the 
   level of risk – which is stated in the GDPR Article 32 guideline.
 * GDPR does not state that inline scripts violate privacy laws, although it does
   recommend server settings such as your `Content-Security-Policy` to set a level
   of security appropriate to the “risk”. If you consider the 3rd party site scan
   to have shown a violation of GDPR on your site, please contact the 3rd party 
   tool and/or your legal counsel to determine if the site is in fact violating 
   GDPR law.
 * We are not able to ultimately decide this for you as our view is that we are 
   using inline scripts within GDPR guidelines.
 * Thanks again,
 * Peter.
 *  Thread Starter [haddlyapis](https://wordpress.org/support/users/haddlyapis/)
 * (@haddlyapis)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13580572)
 * Hi there Peter,
 * thank you for your diligence and researching this topic in more depth. I will
   pass this information back to our GDPR consultant.
 * But for the “hardliners”, is there any discussion on making these inline scripts
   more secure by adding either nonces or hashes.
    Here is a good article on how
   they stop cross site scripting. [https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/](https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/)
   regards Daniel.
    -  This reply was modified 5 years, 6 months ago by [haddlyapis](https://wordpress.org/support/users/haddlyapis/).
 *  Thread Starter [haddlyapis](https://wordpress.org/support/users/haddlyapis/)
 * (@haddlyapis)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13580933)
 * Also, I have just realised that this is only a scripting issue for the admin 
   of the site, not for users. (`<script type='text/javascript' id='wordfenceAJAXjs-
   js-extra'>`)
    If someone gets access to my Admin, then i have more worrisome 
   things to think about than XXS. cheers.
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13585251)
 * Hi [@haddlyapis](https://wordpress.org/support/users/haddlyapis/), glad we could
   be of assistance.
 * We have development suggestion channels and I have put nonce/hash addition to
   Wordfence scripts forward. I cannot comment here on potential timescales going
   forward, but legitimate use-cases like yours will certainly be taken seriously
   in our discussions.
 * Thanks again,
 * Peter.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘inline script violates Content Security Policy Directive’ is closed to
new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 6 replies
 * 2 participants
 * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * Last activity: [5 years, 6 months ago](https://wordpress.org/support/topic/inline-script-violates-content-security-policy-directive/#post-13585251)
 * Status: resolved