Testing csp policy phase is preventing webrowser to load ressources

[Barnoux]

Hello,

I was testing the policy and the product owner notified me that some ressources are not loaded in the browser during the fifth phase that is mentionned in the helper of the plugin

Leaving the tag capture active, activate the policy test (at this stage the plugin will generate some violations of the temporary policy used to record additional values to be included in the directives of your "content security policy").

This is an example found in the browser console with the devtool.

I thought that during this phase, the policy couldn't impact the client naviguation on the wordpress site. It appeared to me that the testing CSP policy doesn't "always" prevent a loading.

maybe i miss something ?

regards, BBA

[MocioF]

The line you copied reports "Report Only". This should not prevent the script from loading.

[Barnoux]

Ok well i have an issue then... When the test policy is not applied, browser clients correctly load the ressources. How can i troubleshoot this ?

[MocioF]

Sorry, I don't understand. If you don't apply any policy, why browsers should not load whatever they find in the page?

[Barnoux]

My bad i wasn't clear in my statement.

• When the test policy is not applied, browser clients correctly load the ressources.
• When the test policy is applied, browser clients doesn't correctly load the ressources.

[MocioF]

Is the resource whitelisted? How did you whitelist it? Can you post a link to the page with the problem?

[Barnoux]

i'm testing the plugin in a test environnement so i can't send you a link because you could not have access to the page.

when the pages are not loaded this is the common error that i have in the console : as we can see in the console log the test policy is activated.

One thing that is als strange, the CSP policy is not always in the HTTP response header.

[MocioF]

Try to use nonces and not hashes. Maybe the CSP generated with hashes is too big to fit the response header size of your server.