Title: granty's Replies | WordPress.org

---

# granty

  [  ](https://wordpress.org/support/users/csplite/)

 *   [Profile](https://wordpress.org/support/users/csplite/)
 *   [Topics Started](https://wordpress.org/support/users/csplite/topics/)
 *   [Replies Created](https://wordpress.org/support/users/csplite/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/csplite/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/csplite/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/csplite/engagements/)
 *   [Favorites](https://wordpress.org/support/users/csplite/favorites/)

 Search replies:

## Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Redirection] Content-Security-Policy warning](https://wordpress.org/support/topic/content-security-policy-warning-2/)
 *  [granty](https://wordpress.org/support/users/csplite/)
 * (@csplite)
 * [4 years, 10 months ago](https://wordpress.org/support/topic/content-security-policy-warning-2/#post-14837118)
 * 1. _“This policy contains ‘unsafe-inline’ which is dangerous in the script-src
   directive.”_ is really dangerous because such CSP does not protect against XSS.
   
   If there is an XSS vulnerability on the web-page, it can be easily exploited 
   for inserting any inline scripts.
 * 2. An `'unsafe-eval'` in the script-src counts as ‘potentially dangerous’, even`
   myaccount.google.com` and `account.google.com` pages use it. But in some conditions`'
   unsafe-eval'` can become very dangerous.
    For example if you allow some public
   CDN in the `script-src`, in case of XSS attacker can load AngularJS or VueJS 
   library with symbolic code execution. In this case, the attacker will no longer
   need to insert inline scripts – he will simply inject HTML markup like:
 *  `<div ng-app ng-csp>{{$eval.constructor('alert(\'XSS\')')()}}</div>`
 * 3. An `‘unsafe-inline’` in the `style-src` directive is really ‘potentially dangerous’.
 * So your CSP:
    `default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:;
   style-src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox
   allow-forms allow-scripts`
 * is not protect against XSS. An ‘unsafe-inline’ allows to inject any inline scripts,
   and `‘unsafe-eval’` + `http:` allows to load any framework from public CDN and
   inject scripts via HTML markup.
    -  This reply was modified 4 years, 10 months ago by [granty](https://wordpress.org/support/users/csplite/).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[SeaSP Community Edition] Objects blocked but no clear error message in browser console](https://wordpress.org/support/topic/objects-blocked-but-no-clear-error-message-in-browser-console/)
 *  [granty](https://wordpress.org/support/users/csplite/)
 * (@csplite)
 * [5 years, 3 months ago](https://wordpress.org/support/topic/objects-blocked-but-no-clear-error-message-in-browser-console/#post-14259946)
 * Firefox does not support ‘script-src-elem’ / ‘style-src-elem’ / ‘style-src-attr’
   directives. Only Chrome supports these. That’s why Firefox diags in console:
   `
   Content Security Policy: Couldn’t process unknown directive ‘...’` It’s not an
   error, just information message.
 * Therefore you anyway have to use in the Content Security Policy ‘script-src’ 
   and ‘style-src’ directives. And to full them by hosts/tokens like:
 *     ```
       ‘script-src’ = ‘script-src-elem’ + ‘script-src-attr’
       ‘style-src’ = ‘style-src-elem’ + ‘style-src-attr’
       ```
   
 * with removing duplicates and incompatible sources
    -  This reply was modified 5 years, 3 months ago by [granty](https://wordpress.org/support/users/csplite/).
    -  This reply was modified 5 years, 3 months ago by [granty](https://wordpress.org/support/users/csplite/).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[DearFlip - PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer] ‘unsafe-inline’ attribute required, making CSP less secure](https://wordpress.org/support/topic/unsafe-inline-attribute-required-making-csp-less-secure/)
 *  [granty](https://wordpress.org/support/users/csplite/)
 * (@csplite)
 * [5 years, 4 months ago](https://wordpress.org/support/topic/unsafe-inline-attribute-required-making-csp-less-secure/#post-14050851)
 * Why the question arose only about the `DearFlip` script? You have a lot of inline
   scripts on the page:
    1. `<!– Matomo –> <script type=”text/javascript”> var _paq
   = window._paq = window._paq || [];
 *  _paq.push([‘trackPageView’]);
    _paq.push([‘enableLinkTracking’]); (function(){
   var u=”https:// stats.oldrup.dk/”; _paq.push([‘setTrackerUrl’, u+’matomo.php’]);
   _paq.push([‘setSiteId’, ‘2’]); var d=document, g=d.createElement(‘script’), s
   =d.getElementsByTagName(‘script’)[0]; g.type=’text/javascript’; g.async=true;
   g.src=u+’matomo.js’; s.parentNode.insertBefore(g,s); })(); </script>`
 * 2. you mentioned `<script data-cfasync="false"> var dFlipLocation = ...</script
   >`
 * 3. `<script type=”text/javascript”>
    (function () { var c = document.body.className;
   c = c.replace(/woocommerce-no-js/, ‘woocommerce-js’); document.body.className
   = c; })() </script>`
 * 4. `<script type=’text/javascript’ id=’ct-scripts-js-extra’>
    /* <![CDATA[ */
   var ct_localizations = {“ajax_url”:”https:\/\/oldrup.art\/wp-admin\/admin-ajax.
   php”,”nonce”:”cb575b97fe”,”public_url”:”https:\/\/oldrup.art\/wp-content\/themes\/
   blocksy\/static\/bundle\/”,”rest_url”:”https:\/\/oldrup.art\/wp-json\/”,”search_url”:”
   https:\/\/oldrup.art\/search\/QUERY_STRING\/”, … /* ]]> */ </script>`
 * Yust do use `'nonce-value'` token to allow all inline script blocks.
    -  This reply was modified 5 years, 4 months ago by [granty](https://wordpress.org/support/users/csplite/).
    -  This reply was modified 5 years, 4 months ago by [granty](https://wordpress.org/support/users/csplite/).
    -  This reply was modified 5 years, 4 months ago by [granty](https://wordpress.org/support/users/csplite/).
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Social Media Share Buttons and Cookies](https://wordpress.org/support/topic/social-media-share-buttons-and-cookies/)
 *  [granty](https://wordpress.org/support/users/csplite/)
 * (@csplite)
 * [5 years, 7 months ago](https://wordpress.org/support/topic/social-media-share-buttons-and-cookies/#post-13711466)
 * Good question!
    Website visitors are so dismissive of their online privacy that
   it has become a concern for website developers.
 * Moreover, there is a “EU cookie law” you must obtain the explicit consent of 
   the EU visitor for use of cookies.
 * Some info presents on Googles web-pages: [http://www.cookiechoices.org/intl/en-GB/](http://www.cookiechoices.org/intl/en-GB/)
   [https://policies.google.com/technologies/partner-sites?hl=en-GB](https://policies.google.com/technologies/partner-sites?hl=en-GB)
   [https://policies.google.com/privacy?gl=en&hl=en-GB](https://policies.google.com/privacy?gl=en&hl=en-GB)
 * You can briefly outline the technical part, how cookie gets hooked on the user’s
   computer and what it is fraught with. And provide a link to privacy policies 
   of Google, Facebook, Twitter, Instagram and the other [40 social buttons](https://csplite.com/csp/test95/)(
   Just Kidding).
 * I liked how it’s done [here](https://fotolanding.com/en/disclaimer/).
 * Of course, no one reads such pages, but this information should be on the site
   just in case. At least out of respect for visitors and their privacy.
 * Just checked, there is WP plugins for that (everything has already been invented
   before us):
    – [GDPR Cookie Consent (CCPA Ready)](https://wordpress.org/plugins/cookie-law-info/)–
   [WP Cookie Notice for GDPR, CCPA & ePrivacy Consent](https://wordpress.org/plugins/gdpr-cookie-consent/)
    -  This reply was modified 5 years, 7 months ago by [granty](https://wordpress.org/support/users/csplite/).
    -  This reply was modified 5 years, 7 months ago by [granty](https://wordpress.org/support/users/csplite/).
    -  This reply was modified 5 years, 7 months ago by [granty](https://wordpress.org/support/users/csplite/).

Viewing 4 replies - 1 through 4 (of 4 total)