Plugin script blocked when using a strict content security policy | WordPress.org

Resolved jhagedorn1
(@jhagedorn1)

1 week ago
Hello, I am applying a strict content security policy (CSP) to my WordPress sites using the Strict CSP plugin.

This small block of JavaScript in the PublishPress Permissions plugin is getting blocked on all the site’s front-end pages in browsers when the Strict CSP plugin is active:
```
<script type="text/javascript">
  document.querySelectorAll("ul.nav-menu").forEach(
    ulist => {
      if (ulist.querySelectorAll("li").length == 0) {
        ulist.style.display = "none";
      }
    }
  );
</script>
```
In browser dev tools, a console error of the CSP violation and script block appears. Chrome, for example, starts with this: “Executing inline script violates the following Content Security Policy directive …”.

All other plugin scripts in my sites are receiving the nonce required for the strict CSP, except for the one above from your plugin. This may be due to your plugin manually printing the script tag instead of using the WordPress helper functions, as described on the Strict CSP plugin page.

Other than that method, if your plugin has another way to opt into a strict CSP, please let me know.

The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)

Plugin Author Steve Burge
(@stevejburge)

3 days, 13 hours ago

Thanks for the report @jhagedorn1. In the short term, you can add define('PRESSPERMIT_NO_NAV_MENU_SCRIPTS', true); to wp-config.php

Longer term, we’ll fix this in the plugin: https://github.com/publishpress/publishpress-permissions/issues/2345

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

Tags

CSP

1 reply
2 participants
Last reply from: Steve Burge
Last activity: 3 days, 13 hours ago
Status: resolved