[wp-trac] [WordPress Trac] #50997: Block Editor showing blank in WordPress 5.5

Fri Jul 15 18:44:13 UTC 2022

#50997: Block Editor showing blank in WordPress 5.5
--------------------------+-----------------------
 Reporter:  david-woakes  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Editor        |     Version:  5.5
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+-----------------------
Changes (by jornfranke):

 * status:  closed => reopened
 * resolution:  invalid =>

Comment:

 I still see it in the latest WP6 version.
 Please note that unsafe-eval is not only about eval, but also about
 Function() etc. (see here: https://developer.mozilla.org/en-
 US/docs/Web/HTTP/Headers/Content-Security-Policy/script-
 src#unsafe_eval_expressions).

  You need to edit any post in the Block editor and in/related to the
 following scripts (or scripts these scripts are calling) - most of them
 are related to the use of Function():
 * /wp-includes/js/dist/data.min.js
 * /wp-includes/js/dist/core-data.min.js
 *  wp-includes/js/dist/reusable-blocks.min.js
 * wp-includes/js/dist/notices.min.js
 *  wp-includes/js/dist/keyboard-shortcuts.min.js
 * wp-includes/js/dist/rich-text.min.js
 * wp-includes/js/dist/viewport.min.js?
 *  wp-includes/js/dist/block-editor.min.js
 *  wp-includes/js/dist/preferences.min.js
 *  wp-includes/js/dist/editor.min.js
 * wp-includes/js/dist/edit-post.min.js
   wp-includes/js/dist/block-directory.min.js
 *  wp-includes/js/dist/format-library.min.js
 *  wp-includes/js/dist/dom-ready.min.js
 * wp-content/themes/twentytwentyone/assets/js/editor.js
 * ... in fact many more (because they dont get called, I think all js
 files in dist are affected)

 See here for examples for problematic statements:
 * https://github.com/WordPress/WordPress/blob/master/wp-
 includes/js/dist/editor.js#L1
 * https://github.com/WordPress/WordPress/blob/master/wp-
 includes/js/dist/editor.js#L5
 * https://github.com/WordPress/WordPress/blob/master/wp-
 includes/js/dist/date.js#L1
 * https://github.com/WordPress/WordPress/blob/master/wp-
 includes/js/dist/data.js#L1
 * https://github.com/WordPress/WordPress/blob/master/wp-
 includes/js/dist/blocks.js#L5345

 Note: those are just some examples, the files even contain much more
 instances of function (see https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/Function)

 Those are as said before mostly related to function() {} and thus they
 prevent setting a secure CSP on any WordPress instance.

 All this prevents to remove unsafe-eval from the CSPs and they introduce
 significant security risks.

 I do not know why WP does it this way, so I cannot estimate the efforts.
 However, the security benefits of having a safe CSP outweights this
 probably. Looking forward to test any fix to this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50997#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform