Reputation: 1
Wordpress Content Security Policy blocking external Mailchimp event handler
I have set up my CPS & whitelisted all my scripts with a randomly generated nonce. The current CSP seems to work for other scripts, except it blocks the embeded mailchimp email subscription event handler. This is the console error message I get: (Report-Only policy) The page’s settings would block an event handler (script-src-attr) from being executed because it violates the following directive: “script-src 'self' 'nonce-022e6ecce789b043b660daaaafa8814f' https://connect.facebook.net/en_US/fbevents.js https://www.googletagmanager.com/gtag/ https://s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js https://connect.facebook.net/”
The location of the code being blocked is inside the minified mailchimp mc-validate.js
What directive should I use to allow all js from this url to be executed on my server, without using 'unsafe-inline'?
I have tried adding 'strict-dynamic' to script-src along with whitelisting all scripts with a randomly generated nonce, but the mailchimp event handler was still blocked. The only option which has worked so far is setting the script-src-attr directive as 'unsafe-inline' which I believe is not a safe option.
Upvotes: 0
Views: 38
Answers (0)
Related Questions
- reCAPTCHA with Content Security Policy
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Jenkins Content Security Policy
- Content-Security-Policy blocking calls irrespective of directives
- Content Security Policy “Refused to execute inline event handler” error
- Best way to remove an event handler in jQuery?
- Content Security Policy intermittent error
- Wordpress Content Security Policy Problem
- Content-Security-Policy errors in Firefox and Chrome
- Content Security Policy with Dynamic Button