Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WordPress + Disqus + refused executing inline script

Tags:

xss

wordpress

content-security-policy

disqus

I've loaded Disquss on my Wordpress website, which is running on HTTPS. The problem is that while the comments are shown at the bottom of the webpage, they are white (and since the background of the page is also white, they are not visible).

If I open Inspector in Chrome, the following error is printed to the Console tab.

    Refused to execute inline script because it violates the following
 Content Security Policy directive: "script-src https://*.twitter.com:* 
https://api.adsnative.com/v1/ad.json *.adsafeprotected.com *.google-analytics.com https://glitter-services.disqus.com 
https://*.services.disqus.com:* disqus.com http://*.twitter.com:* 
a.disquscdn.com api.taboola.com referrer.disqus.com *.scorecardresearch.com 
*.moatads.com https://admin.appnext.com/offerWallApi.aspx 'unsafe-eval' 
https://mobile.adnxs.com/mob *.services.disqus.com:*". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
 to enable inline execution.

This happens because of the Popup Blocker Extension in Chrome, but I would like to enable it with content security policy: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . Basically, the error occurs in the chrome-extension://* scheme, so I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.

How should I disable the security policy for chrome extensions?

like image 572
eleanor Avatar asked Mar 28 '15 22:03

eleanor

Video Answer

1 Answers

This isn't something you can (or should) meaningfully solve. It's up to the extension vendor to properly implement themselves. The fact is the extension is attempting to inject inline code and it's being stopped by the Content Security Policy because the CSP is made to block it. As it should, since the extension is indistinguishable from malware from it's perspective.

You could (but should not) simply add rules to your site's Content Security Policy to allow the extension to run...but this is potentially dangerous, incredibly case-specific, and should basically only ever be done in an enterprise context in which everyone has a (poorly coded) browser extension that is required to work with your site. And even then re-coding the extension would generally be preferred.

like image 101
Ben Brocka Avatar answered Nov 15 '22 23:11

Ben Brocka
Sign in to Comment

Related questions

How to Prevent Wordpress from Stripping HTML Tags in Excerpt
How do I change button text from "Choose an option" in Woocommerce?
How do I upload a file to wordpress using a custom upload form?
I want to get woocommerce reviews by product id and display it in a template
How to get the stock quantity of an article from woocommerce?
Get a limited, text-only excerpt from a WordPress post?
How do you add the star ratings for products in woocommerce?
stop wordpress search showing a custom post type
update_order_review( ) on button click
Custom jQuery not working on Wordpress Ninja Forms plugin
select query in wordpress
How to get primary category set via Yoast seo plugin in WordPress
Make WordPress search only in post title
Do I need memcached with Opcache ?
Contact Form 7 watermark for select menu
Customise the WordPress gallery html layout
Contact Form 7 - add custom function on email send
Remove submenu page "customize.php" in WordPress 4.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!