Cloudflare WAF block, json issues

Hi there,

Thanks for your report!

The Web Stories WordPress plugin generates HTML and sends that via the REST API, so it’s possible that the WAF mistakenly flags it for XSS. If you can disable that rule specifically for web-story endpoints that sure work.

As for the dashboard, can you look at the Network tab and filter by XHR requests to see what their responses are? If there’s something messing up the responses, it won’t be valid JSON anymore and result in that error message.

Example:

Good point regarding the users, I just opened https://github.com/google/web-stories-wp/issues/4753 to investigate this. There’s definitely room for improvement!

Thanks a lot for your help in debugging this issue with me and verifying the conflict and a potential workaround.

I appreciate you sharing this concern with us and absoluetely understand that you don’t want to risk your site‘s security.

We‘ll look into this further to determine how the plugin can operate with its full set of capabilities in such an environment, and will happily keep you posted on any updates in this regard.

Thanks again for your help!

Thanks for chiming in!

We’re still looking into this and hope to be able to provide an update soon.

Glad to hear it’s working! I’ll mark this topic as resolved for now.

Also, great suggestion. Agreed that it’s confusing. I’ve opened a ticket to address this for our next release.

Please let us know if there’s anything else we can help with.

(Note that wpr-cpcss is a WP-Rocket script. You should report that particular issue to WP-Rocket)

No need to worry, we’re already doing that 🙂 In fact, WP-Rocket is already working on improving support in their next version. But I still recommend reporting this to them as it might be particular to your setup.