WordPress.org

Synchro
(@synchro)

6 years, 2 months ago

I was surprised to find that WordFence requires unsafe-eval permission in the script-src of a content security policy header. Annoyingly, it’s the *only* component on my site that requires this permission. Can WordFence be updated to only use external scripts so that we don’t need to allow either unsafe-inline or unsafe-eval? It goes a long way to prevent XSS.

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Support wfphil
(@wfphil)

6 years, 2 months ago

Hi,

I am unable to replicate this. Can you let me know what Content Security Policy you have set and which URL you are having a problem with.

Thanks.
Thread Starter Synchro
(@synchro)

6 years, 2 months ago
I just managed to trash my nginx config by accident and I can’t remember where I saw this error originally, but I’ve managed to provoke another one (I think the one I spotted originally was more obvious than this); I’m getting this stack trace when clicking the “Enable firewall” button in wp-admin:
```
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' ".

	Function (jquery.tmpl.min.1527005958.js:10:3544)
	o (jquery.tmpl.min.1527005958.js:10:3544)
	template (jquery.tmpl.min.1527005958.js:10:1915)
	tmpl (jquery.tmpl.min.1527005958.js:10:1423)
	colorboxModal (admin.1527005958.js:1863)
	(anonymous function) (admin.1527005958.js:3266)
	success (admin.1527005958.js:1818)
	i (load-scripts.php:2:27455)
	fireWith (load-scripts.php:2:28215)
	y (load-scripts.php:4:22733)
	c (load-scripts.php:4:26927)
```
In the page source I can see that the script handler for this button immediately follows the button in the layout – that’s permitted with unsafe-inline (though it would be better to get rid of that too), but I’m not sure why it’s trigging unsafe-eval.

Incidentally, another thing flagged by my CSP is your use of the Roboto font from google fonts. Wordfence is the only thing using an external font on my site. It looks fine without it, but it would be better if it didn’t ask for it.
Plugin Support wfphil
(@wfphil)

6 years, 2 months ago

Hi,

Thank you for the update. We can now see why this is happening and we are looking to see if we can make an improvement in this area.

You can keep track of this via our changelog here:

https://wordpress.org/plugins/wordfence/#developers
Thread Starter Synchro
(@synchro)

6 years, 1 month ago
I’ve just run into more of a blocker with the same cause: After upgrading to Wordfence 7.1.7, it’s showing me a dialog that requires me to review the terms, however, clicking either of the review buttons results in a CSP violation due to needing unsafe-eval, so I can’t get past it.
```
[Error] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

	Function (jquery.tmpl.min.1528224180.js:10:3544)
	o (jquery.tmpl.min.1528224180.js:10:3544)
	template (jquery.tmpl.min.1528224180.js:10:2004)
	tmpl (jquery.tmpl.min.1528224180.js:10:1423)
	tmpl (jquery.tmpl.min.1528224180.js:10:938)
	(anonymous function) (admin.php:261)
	dispatch (load-scripts.php:3:12450)
	handle (load-scripts.php:3:9179)
	trigger (load-scripts.php:3:11579)
	trigger (load-scripts.php:9:8280)
	(anonymous function) (load-scripts.php:3:18999)
	each (load-scripts.php:2:2886)
	each (load-scripts.php:2:851)
	trigger (load-scripts.php:3:18972)
	onclick (admin.php:246)
```
- This reply was modified 6 years, 1 month ago by Synchro.
Plugin Support wfphil
(@wfphil)

6 years, 1 month ago

Hi,

In that case to be able to review the Terms and Privacy Policy due to the new European GDPR legislation you will have to temporarily disable your CSP.

Thank you.

Thread Starter Synchro
(@synchro)

6 years, 1 month ago

I understand that, and I’ve done that purely so I can do so, but it seems contradictory to have to require everyone to disable an important anti-xss security measure to enable a security product, not the kind of practice that should be encouraged!

Disabling that element of a CSP is a temporary workaround, not an appropriate long-term solution, which would be to implement the review check without needing unsafe-eval in the first place, which is why I tagged this as a bug.

Plugin Support wfphil
(@wfphil)

6 years, 1 month ago

Hi,

It is under consideration. You can keep an eye on our changelog below for any further updates.

https://en-gb.wordpress.org/plugins/wordfence/#developers

Thread Starter Synchro
(@synchro)

5 years, 7 months ago

I’ve run into another one of these with Wordfence 7.1.18 when loading the WF dashboard page on a fresh install with WP 4.9.8:

`
[Error] EvalError: Refused to evaluate a string as JavaScript because ‘unsafe-eval’ is not an allowed source of script in the following Content Security Policy directive: “script-src ‘self’ ‘unsafe-inline’ http://www.google-analytics.com http://www.bugherd.com “.

Function (jquery.tmpl.min.1543941426.js:10:3544)
o (jquery.tmpl.min.1543941426.js:10:3544)
template (jquery.tmpl.min.1543941426.js:10:2004)
tmpl (jquery.tmpl.min.1543941426.js:10:1423)
tmpl (jquery.tmpl.min.1543941426.js:10:938)
wafConfigPageRender (admin.1543941426.js:3230)
(anonymous function) (admin.php:238)
i (load-scripts.php:2:27455)
fireWith (load-scripts.php:2:28215)
ready (load-scripts.php:2:30018)
K (load-scripts.php:2:30374)
`

Again, I find it absolutely mystifying that a security product would require you to disable one of the most effective ways to combat XSS available in order to use it. You should be encouraging users to use tighter security, not the reverse. Are you not dogfooding this? Do you not run Wordfence on sites with CSP reporting turned up full? This isn’t some weird edge case, it’s absolutely basic web security applicable to everyone. If your templating system requires unsafe-eval, it’s time to find a templating system that’s not broken.

Plugin Support wfphil
(@wfphil)

5 years, 7 months ago

Hi @synchro,

As previously stated it is under consideration. You can keep an eye on our changelog below for any further updates.

https://en-gb.wordpress.org/plugins/wordfence/#developers

Thank you.

Leopard-Lady
(@leopard-lady)

5 years, 4 months ago

Hi Guys,
I am having the same issues as @synchro, and I’m sure thousands of others trying to better secure their WP sites.

I just checked your changelog and see no mention of this as of yet.

Are you guys in fact working on a long term solution to remedy this security issue with your plugin?

Thank you,
LL

hogo56
(@hogo56)

5 years, 1 month ago

Maybe I am missing something here but in my .htaccess for my WordPress Multisite with Wordfence I am having to do this to get Wordfence to work. This thread has been open for a year so I am hoping there has been a resolution but I cannot find it.

Header set Content-Security-Policy “\
default-src ‘self’; \
style-src ‘self’ *.googleapis.com; \
script-src ‘self’ *.google-analytics.com *.googleapis.com data:; \
connect-src ‘self’ *.google-analytics.com *.googleapis.com data:; \
font-src ‘self’ *gstatic.com data:; \
img-src * data:; \
”
# Having to disable parts of Content-Security-Policy to get Wordfence to work
<Files “admin.php”>
Header set Content-Security-Policy “\
script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ *.com data:; \
connect-src ‘self’ *.google-analytics.com *.googleapis.com data:; \
font-src ‘self’ *gstatic.com data:; \
img-src * data:; \
”
</Files>