2

I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:

Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"

However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:

  • 3rd party fonts it needs to download
  • Other AJAX requests for javascript (e.g. for the editor)
  • Other stuff, probably related to plugins

How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?

srkiNZ84
  • 531
  • 1
  • 6
  • 10
  • 2
    Sounds like you're on the right tracks. Identify problematic resources, patch your CSP policy and reload until all errors are gone. Then, start again with firefox or chrome depending on which was first. I don't know of any shortcut here, can be redundant and quite painful at first, ... Also consider wordpress updates may involve breaking changes. – SYN Nov 14 '16 at 03:06

2 Answers2

3

Use the header Content-Security-Policy-Report-Only first (Content-Security-Policy-Report-Only). This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported.

You can use the free service https://report-uri.io/ to receive the reports.

LyK
  • 113
  • 4
Julien
  • 1,028
  • 1
  • 12
  • 24
-1

This policy worked for me:

Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"

The twitter example from:

https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy

was particularly helpful as a starting point.

srkiNZ84
  • 531
  • 1
  • 6
  • 10