Customizer requires a relaxed CSP with 'unsafe-eval' specified
|Reported by:||bjornjohansen||Owned by:|
If you’re using Content Security Policy headers, 'unsafe-eval' have to be specified to use the Customizer. Otherwise, the Customizer will turn up mostly blank.
The console in Google Chrome DevTools reports:
I would not consider this a bug, but a nuisance, since it requires this specific URL to be handled differently in the web server configuration when using CSP.
I’ve tested against both version 4.6.1 and trunk (4.7-beta2-39150), and with Twenty Fifteen and Twenty Seventeen as activated themes.
Change History (5)
5 months ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed