CSP analysis of website shows errors with inline scripts

  • Resolved haddlyapis

    (@haddlyapis)


    5 years, 6 months ago

    A recent analysis done to see which errors my site has, has thrown some inline script errors that could make sites vulnerable to cross-site scripting attacks.

    For this plugin, the following errors were shown.
    [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' fonts.googleapis.com maxcdn.bootstrapcdn.com fonts.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ru1OH2/x8HlfUUB/M4CIPU4sM04mReXxEN+aZ3CvWkg='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
    with this being the source in the file.
    <script type='text/javascript' id='cookieconsent-js-after'>
    There are other similar errors but I would like to know if this issue has been raised with you before.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author PascalBajorat

    (@pascalbajorat)

    5 years, 6 months ago

    I’m not sure why you see this, but we do not use Google Fonts in the frontend or Bootstrap via MaxCDN. So I think this message is not really related to GA Germanized.

    The cookieconsent-js-after inline-script is only wrapping the needed configs for the cookie consent. But those scripts could be modified by your settings or via hooks. Depending on your settings or other plugins this could contain other content than usual.

    Thread Starter haddlyapis

    (@haddlyapis)

    5 years, 6 months ago

    I think this error message about Google Fonts is not accurate to the CSP error itself. It is more that it is an inline JS script which could be vulnerable to XXS attacks according to an analysis done using https://webbkoll.dataskydd.net/

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘CSP analysis of website shows errors with inline scripts’ is closed to new replies.