WordPress.org

Make WordPress Core

Opened 5 months ago

Closed 5 months ago

Last modified 3 months ago

#38695 closed enhancement (wontfix)

Customizer requires a relaxed CSP with 'unsafe-eval' specified

Reported by: bjornjohansen Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7
Component: Customize Keywords:
Focuses: javascript Cc:

Description

If you’re using Content Security Policy headers, 'unsafe-eval' have to be specified to use the Customizer. Otherwise, the Customizer will turn up mostly blank.

The console in Google Chrome DevTools reports:
Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' data: https:"

The policy against eval() and its relatives like setTimeout(String), setInterval(String), and new Function(String) can be relaxed by adding 'unsafe-eval' to your policy. In underscore.min.js there is at least one occurrence of new Function(String): new Function(t.variable
"obj","_",i)

I would not consider this a bug, but a nuisance, since it requires this specific URL to be handled differently in the web server configuration when using CSP.

I’ve tested against both version 4.6.1 and trunk (4.7-beta2-39150), and with Twenty Fifteen and Twenty Seventeen as activated themes.

Attachments (3)

Skjermbilde 2016-11-07 kl. 16.26.02.png (324.4 KB) - added by bjornjohansen 5 months ago.
Sceenshot of the console in Chrome
Skjermbilde 2016-11-07 kl. 16.26.33.png (212.8 KB) - added by bjornjohansen 5 months ago.
Screenshot of the triggered error in Chrome
Skjermbilde 2016-11-07 kl. 16.27.38.png (524.6 KB) - added by bjornjohansen 5 months ago.
Screenshot of the HTTP headers, including the CSP

Download all attachments as: .zip

Change History (5)

@bjornjohansen
5 months ago

Sceenshot of the console in Chrome

@bjornjohansen
5 months ago

Screenshot of the triggered error in Chrome

@bjornjohansen
5 months ago

Screenshot of the HTTP headers, including the CSP

#1 @westonruter
5 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This turns out to not be a problem specific to the customizer. As you noted in Twitter, the Media Library is also broken when Nginx is configured with:

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https:";

In fact, it is a more fundamental problem with the JavaScript used in WordPress. Namely, anywhere in WordPress that wp.template (or Underscore templating) is used, this problem will occur. JavaScript templating in WP currently requires unsafe-eval.

This ticket was mentioned in Slack in #core-customize by westonruter. View the logs.


3 months ago

Note: See TracTickets for help on using tickets.