WP Super Cache Is Not Compatible with Content Security Policy Headers?

  • linux4me2

    (@linux4me2)


    7 years, 7 months ago

    If I set the Content Security Policy header in the .htaccess for a site, even with fairly lax policy settings, I get errors regarding blocked content when I have WP Super Cache enabled once a page is cached. If I disable WP Super Cache, the errors go away. I’m using mod_rewrite for caching.

    Is there a way to make WP Super Cache work with a Content Security Policy header?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Pothi Kalimuthu

    (@pothi)

    7 years, 7 months ago

    If you see “blocked content”, then CSP headers work correctly, but something else has screwed up. Ideally, CSP headers need to be inserted directly using the server (using htaccess file for example). Please post more info to help us help you. Ideally, a test URL helps to identify what’s going on with CSP headers.

    • This reply was modified 7 years, 7 months ago by Pothi Kalimuthu. Reason: to auto-notify me via email
    Thread Starter linux4me2

    (@linux4me2)

    7 years, 7 months ago

    Thanks for the reply. Yes, the Content Security Policy headers, which I am putting in my .htaccess in an IfModule for mod_headers.c, are working just fine, the problem comes when I enable WP Super Cache, at which point they are failing for some reason.

    I did some more experimenting, and got the following to work with WP Super Cache enabled:

    
<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com https://www.google.com https://www.gstatic.com https://secure.gravatar.com;"
</IfModule>

    It didn’t help much though with my score for Content Security Policy on Mozilla’s Observatory, because I had to use “unsafe-inline” to accommodate some of the inline CSS and javascript in my theme.

    When I use specific directives, it seems that I can handle most types of content with WP Super Cache enabled except the following, which comes from Google’s reCAPTCHA:

    
Content Security Policy: The page's settings blocked the loading of a resource at https://www.google.com/recaptcha/api2/anchor?k=XXXXXXXXXX.&hl=en&v=bXXXXXXX&size=normal&cb=v5lx3rnqwhxi ("default-src https://thedomain.com").

    So far, I haven’t been able to figure out what kind of resource “anchor” is, though with WP Super Cache disabled, or with the lax setting above, I don’t get this error.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WP Super Cache Is Not Compatible with Content Security Policy Headers?’ is closed to new replies.

Tags