Support » Plugin: Simple Custom CSS and JS » relative inclusion of snippets causes CSP issues

  • Resolved ctra

    (@ctra)


    When including snippets, a relative URL will be used, like:
    <script src=’//domain.tld/wp-content/uploads/custom-css-js/160.js?v=5555′></script>
    However, this relative URI (although perfectly valid) causes CSP (Content Security Policy) alerts as content may also be fetched using insecure protocols. In essence, the protocol-relative URI does not match the ‘self’ target in a CSP. As result, the “Subresource Integrity” check kicks in and due to lack of hashes (why would you do this on an internal server) the score of a page is downgraded.

    Would it be possible to inherit the URI scheme from the WordPress site or make it configurable instead of using a protocol-relative one?

Viewing 1 replies (of 1 total)
  • Plugin Author Diana Burduja

    (@diana_burduja)

    A resource with a protocol relative URL will resolve to the website’s protocol. In my understanding the protocol relative URL will match the “self” target of a CSP.

    Could you give me a link to your website so I can have a look? What browser are you using? Is the JS custom code blocked by CSP in other browsers? Are the other JS/CSS/image resources on the website blocked by the CSP?

Viewing 1 replies (of 1 total)
  • The topic ‘relative inclusion of snippets causes CSP issues’ is closed to new replies.