Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » plugin reformats CSP

  • Resolved bz61vl0p

    (@bz61vl0p)


    Hi,
    first of all I must thank you for your patience and support.

    1.
    Iam using the frontend CSP option and at the moment I am inserting hashes to avoid unsafe-inline – in Chrome I have noticed that chrome shows no great problems directly after entering and saving the CSP. Chrome only accepts hashes with an empty space inbetween and this is where your plugin causes the problem – after leaving WordPress the plugin seems to reformat the CSP and while doing this also deletes the empty spaces. Result: now Chrome refuses the hashes as invalid.
    Is there a way to avoid this – if not can I seperatly add a CSP for the frontend
    ina .htacces for example (please have patience – just a pointer)

    2.
    I can also configure the dasboard (backend?) CSP.
    Could I theoretically delete unsafe-inline and unsafe-eval, if WordPress (core), used theme and plugins do use inline-scripts/styles and eval()?

    If yes – does your plugin need inline-scripts/styles or eval()?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi
    correction :
    I wrote

    do use inline-scripts/styles and eval()?

    Of course I meant do not use inline-scripts/styles and eval().

    And of course
    Best Regards and thanks

    Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Could you show me an example of input that you enter in the CSP field, and also what it looks like after being modified?
    The firewall will only remove the following characters from the CSP field: ‘<‘, ‘>’, “\x0a”, “\x0d”, ‘%’, ‘$’ and ‘&’.

    Regarding the backend, NinjaFirewall requires inline-scripts/styles so I don’t recommend to use hashes for that part.

    Hi,
    today I regret you’re so fast – it seemms the formatting was my fault, at least I cannot reproduce it today. My excuses.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.