Wordpress-seo: CSP script-src unsafe-eval is required for Yoast SEO post/page edit box to function

Created on 1 Jan 2018  路  8Comments  路  Source: Yoast/wordpress-seo
  • [X] I've read and understood the contribution guidelines.
  • [X] I've searched for any related issues and avoided creating a duplicate issue.

Please give us a description of what happened.

With a CSP header of:

content-security-policy:base-uri 'self'; default-src 'self'; font-src 'self' data:; img-src 'self' https://secure.gravatar.com data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com https://docs.google.com;

I see an error in the Chrome console like below on the post/page editing pages in the WordPress Admin

image

And the Yoast SEO box on the post/page editor not working like below

image

If I add unsafe-eval to the script-src directive in my CSP, however, the error above does not appear and the Yoast SEO box works as expected.

Please describe what you expected to happen and why.

I expect to be able to use Yoast SEO without the script-src 'unsafe-eval' directive in my CSP for security.

How can we reproduce this behavior?

See above. I would expect it to be reproducible on a base WordPress install served with a CSP header similar to above.

Technical info

  • WordPress version: 4.9.1
  • Yoast SEO version: Premium 6.0
  • Relevant plugins in case of a bug: N/A
build tooling javascript
Source
picture collinbarrett

All 8 comments

I have looked into this and determined that the cause it located here:
https://github.com/Yoast/wordpress-seo/blob/trunk/webpack/webpack.config.default.js#L9

Trying to disable it triggers several different other errors and problems.

@Xyfi / @IreneStr could you take a look at this?

moorscode picture moorscode on 2 Jan 2018

After some research, I figured out the exception is triggered by a third party library. The lodash function template is not CSP safe: https://lodash.com/docs/4.17.4#template, and is used by the WordPress core libraries.

Xyfi picture Xyfi on 8 Jan 2018
👍1

@collinbarrett The error also occurs when Yoast SEO is disabled. Some functions of the editor stop working, so I don't think using the editor without unsafe-eval directive is really an option.

Because this is an issue in WordPress core I'm closing this issue.

Xyfi picture Xyfi on 8 Jan 2018
👍1

I understand, thanks for looking into it, @Xyfi .

collinbarrett picture collinbarrett on 8 Jan 2018

@collinbarrett Here you can read up on what the Wordpress Development team has to say about unsafe-eval: https://core.trac.wordpress.org/ticket/38695.

Xyfi picture Xyfi on 8 Jan 2018
👍1

Was adding that to my todo list right as you posted that comment. Thanks for that link, saved me a lot of searching. Will do! I only saw the issue evidenced with Yoast, but I see it is a larger WordPress issue that needs to be resolved.

Thanks again.

collinbarrett picture collinbarrett on 8 Jan 2018
👍1

See also: https://core.trac.wordpress.org/ticket/39941

moorscode picture moorscode on 8 Jan 2018
👍1

Or via the more general search query: https://core.trac.wordpress.org/search?q=Content-Security-Policy

A lot of these issues have been closed already though.

moorscode picture moorscode on 8 Jan 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Pcosta88 picture Pcosta88  路  6Comments
stayallive picture stayallive  路  4Comments
schurig picture schurig  路  5Comments
Chouby picture Chouby  路  4Comments
tholu picture tholu  路  3Comments