[wp-trac] [WordPress Trac] #38695: Customizer requires a relaxed CSP with 'unsafe-eval' specified
WordPress Trac
noreply at wordpress.org
Mon Nov 7 16:04:12 UTC 2016
#38695: Customizer requires a relaxed CSP with 'unsafe-eval' specified
---------------------------+-----------------------------
Reporter: bjornjohansen | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: trunk
Severity: normal | Keywords:
Focuses: javascript |
---------------------------+-----------------------------
If you’re using Content Security Policy headers, 'unsafe-eval' have to be
specified to use the Customizer. Otherwise, the Customizer will turn up
mostly blank.
The console in Google Chrome DevTools reports:
Uncaught EvalError: Refused to evaluate a string as JavaScript because
'unsafe-eval' is not an allowed source of script in the following Content
Security Policy directive: "default-src 'self' 'unsafe-inline' data:
https:"
The policy against eval() and its relatives like setTimeout(String),
setInterval(String), and new Function(String) can be relaxed by adding
'unsafe-eval' to your policy. In underscore.min.js there is at least one
occurrence of new Function(String): new Function(t.variable||"obj","_",i)
I would not consider this a bug, but a nuisance, since it requires this
specific URL to be handled differently in the web server configuration
when using CSP.
I’ve tested against both version 4.6.1 and trunk (4.7-beta2-39150), and
with Twenty Fifteen and Twenty Seventeen as activated themes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38695>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list