How to determine CSP for Wordpress Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!Protecting Wordpress Admin interface on an alternate portwordpress on clustered (replication) serversHow to restore a Wordpress blog?Problems with Wordpress on Rackspace Cloud ServerCentos iptables configuration for Wordpress and Gmail smtpRsync plugin to many local wordpress installs via script or cliWordpress High load average 18 and cpu 81% on a dedicated serverHow can I get Wordpress to function under a Debian LAMP stack?chmod 640 in wp-config.php with user:www-data gets white screen on WordPressApache2 Loadbalancer with sticky session only sticky for GET, not POST

Why not use the yoke to control yaw, as well as pitch and roll?

French equivalents of おしゃれは足元から (Every good outfit starts with the shoes)

Does the main washing effect of soap come from foam?

Is this Kuo-toa homebrew race balanced?

How to make triangles with rounded sides and corners? (squircle with 3 sides)

My mentor says to set image to Fine instead of RAW — how is this different from JPG?

Are there any irrational/transcendental numbers for which the distribution of decimal digits is not uniform?

How to ask rejected full-time candidates to apply to teach individual courses?

Did pre-Columbian Americans know the spherical shape of the Earth?

Russian equivalents of おしゃれは足元から (Every good outfit starts with the shoes)

Getting representations of the Lie group out of representations of its Lie algebra

Table formatting with tabularx?

How to infer difference of population proportion between two groups when proportion is small?

NIntegrate on a solution of a matrix ODE

Why are two-digit numbers in Jonathan Swift's "Gulliver's Travels" (1726) written in "German style"?

Did any compiler fully use 80-bit floating point?

Found this skink in my tomato plant bucket. Is he trapped? Or could he leave if he wanted?

Twin's vs. Twins'

Problem with display of presentation

First paper to introduce the "principal-agent problem"

What is "Lambda" in Heston's original paper on stochastic volatility models?

How do I say "this must not happen"?

Does the Rock Gnome trait Artificer's Lore apply when you aren't proficient in History?

Besides transaction validation, are there any other uses of the Script language in Bitcoin



How to determine CSP for Wordpress



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Protecting Wordpress Admin interface on an alternate portwordpress on clustered (replication) serversHow to restore a Wordpress blog?Problems with Wordpress on Rackspace Cloud ServerCentos iptables configuration for Wordpress and Gmail smtpRsync plugin to many local wordpress installs via script or cliWordpress High load average 18 and cpu 81% on a dedicated serverHow can I get Wordpress to function under a Debian LAMP stack?chmod 640 in wp-config.php with user:www-data gets white screen on WordPressApache2 Loadbalancer with sticky session only sticky for GET, not POST



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:



Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"


However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:



  • 3rd party fonts it needs to download

  • Other AJAX requests for javascript (e.g. for the editor)

  • Other stuff, probably related to plugins

How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?






wordpress apache2 content-security-policy







share|improve this question

















  • 2





    Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

    – SYN
    Nov 14 '16 at 3:06

















0















I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:



Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"


However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:



  • 3rd party fonts it needs to download

  • Other AJAX requests for javascript (e.g. for the editor)

  • Other stuff, probably related to plugins

How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?






wordpress apache2 content-security-policy







share|improve this question

















  • 2





    Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

    – SYN
    Nov 14 '16 at 3:06













0












0








0








I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:



Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"


However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:



  • 3rd party fonts it needs to download

  • Other AJAX requests for javascript (e.g. for the editor)

  • Other stuff, probably related to plugins

How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?






wordpress apache2 content-security-policy







share|improve this question














I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:



Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"


However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:



  • 3rd party fonts it needs to download

  • Other AJAX requests for javascript (e.g. for the editor)

  • Other stuff, probably related to plugins

How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?






wordpress apache2 content-security-policy




wordpress apache2 content-security-policy






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '16 at 3:00









srkiNZ84srkiNZ84

188118




188118







  • 2





    Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

    – SYN
    Nov 14 '16 at 3:06












  • 2





    Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

    – SYN
    Nov 14 '16 at 3:06







2




2





Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

– SYN
Nov 14 '16 at 3:06





Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes.

– SYN
Nov 14 '16 at 3:06










2 Answers
2






active

oldest

votes


















0














This policy worked for me:



Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"


The twitter example from:



https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy



was particularly helpful as a starting point.






share|improve this answer






























    0














    Use the header Content-Security-Report-Only first. This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported. You can use the free service https://report-uri.io/ to receive the reports.






    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f814706%2fhow-to-determine-csp-for-wordpress%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      This policy worked for me:



      Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"


      The twitter example from:



      https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy



      was particularly helpful as a starting point.






      share|improve this answer



























        0














        This policy worked for me:



        Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"


        The twitter example from:



        https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy



        was particularly helpful as a starting point.






        share|improve this answer

























          0












          0








          0







          This policy worked for me:



          Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"


          The twitter example from:



          https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy



          was particularly helpful as a starting point.






          share|improve this answer













          This policy worked for me:



          Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"


          The twitter example from:



          https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy



          was particularly helpful as a starting point.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 15 '16 at 1:10









          srkiNZ84srkiNZ84

          188118




          188118























              0














              Use the header Content-Security-Report-Only first. This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported. You can use the free service https://report-uri.io/ to receive the reports.






              share|improve this answer



























                0














                Use the header Content-Security-Report-Only first. This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported. You can use the free service https://report-uri.io/ to receive the reports.






                share|improve this answer

























                  0












                  0








                  0







                  Use the header Content-Security-Report-Only first. This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported. You can use the free service https://report-uri.io/ to receive the reports.






                  share|improve this answer













                  Use the header Content-Security-Report-Only first. This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported. You can use the free service https://report-uri.io/ to receive the reports.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Aug 5 '17 at 23:12









                  JulienJulien

                  76811021




                  76811021



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f814706%2fhow-to-determine-csp-for-wordpress%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                      Image
                      Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
                      Read more

                      Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                      Image
                      Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
                      Read more

                      Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

                      Image
                      OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
                      Read more