I have a wordpress website that runs on a LAMP system.
I tried to improve security (I’m far from being an expert!) and added a CSP header.
Header set Content-Security-Policy "default-src 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src 'self' https://secure.gravatar.com; script-src 'self' 'unsafe-inline' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'"
What I don’t understand: If I remove the unsafe-inline from the script-src my calendar widget does not load anymore on a windows browser (tested both firefox and chrome). But it works on a Linux browser (Firefox).
Is this a bug in apache2, in the windows browsers or in the calender wp plugin?
I’m confused. 🙂
2
Answers
So the different Windows/Linux behaviour comes from the Laboratory plugin that was running in my Linux Firefox. I have to check with the plugin author why
unsafe-inlineis required.It doesn’t look like an Apache bug, it just sends the CSP as a string without even understanding what’s in it.
Of course you can use some User Agent conditions in the
httpd.conflike:and to publish CSP relying on
noCSPflag to exclude CSP header for some kinds od user agents.But you can easily clarify that and ensure you have the same CSP header for the Windows/Linux browsers.
I think a WP calendar plugin uses some inline scripts which are blocked in absence of
'unsafe-inline'. You can check accourding CSP errors in the browser console of windows browser.Maybe you disabled CSP in your Linux Firefox browser (
about:configpage ->security.csp.enable-> false) or have some extensions which disable CSP.