#38695 closed enhancement (wontfix)
Customizer requires a relaxed CSP with 'unsafe-eval' specified
Reported by: | bjornjohansen | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7 |
Component: | Customize | Keywords: | |
Focuses: | javascript | Cc: |
Description
If you’re using Content Security Policy headers, 'unsafe-eval' have to be specified to use the Customizer. Otherwise, the Customizer will turn up mostly blank.
The console in Google Chrome DevTools reports:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data: https:"
"obj","_",i) |
I would not consider this a bug, but a nuisance, since it requires this specific URL to be handled differently in the web server configuration when using CSP.
I’ve tested against both version 4.6.1 and trunk (4.7-beta2-39150), and with Twenty Fifteen and Twenty Seventeen as activated themes.
Attachments (3)
Change History (5)
#1
@
8 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
This turns out to not be a problem specific to the customizer. As you noted in Twitter, the Media Library is also broken when Nginx is configured with:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https:";
In fact, it is a more fundamental problem with the JavaScript used in WordPress. Namely, anywhere in WordPress that wp.template
(or Underscore templating) is used, this problem will occur. JavaScript templating in WP currently requires unsafe-eval
.
Sceenshot of the console in Chrome