I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:
Header always set Content-Security-Policy "default-src 'self' https://blogname.com:*"
However, when I set this, the "edit/create Post" page in particular throws a bunch of errors which look to be related to:
- 3rd party fonts it needs to download
- Other AJAX requests for javascript (e.g. for the editor)
- Other stuff, probably related to plugins
How can I easily identify all the 3rd party URL's that are needed for Wordpress and all of its plugins, so that I can add them to the CSP header?
Use the header
Content-Security-Policy-Report-Onlyfirst (Content-Security-Policy-Report-Only). This will allow you to test the policy and tune it. It works the same as the "regular" CSP header, except policy violations are not blocked, just reported.You can use the free service https://report-uri.io/ to receive the reports.
This policy worked for me:
The twitter example from:
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy
was particularly helpful as a starting point.