Your site content loading is blocked - what should you do?
Important: CSP options (settings) in this article are no longer available from v10.2.2 and onward. Please see ShieldPRO 10.2 Upgrade Guide here.
Due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove those options. We explore the issue in full detail in our blog post on this topic here.
You can add custom CSP rules to your site only.
Note: This option/feature is no longer applicable to the latest version of the Shield Security plugin and is here for reference purposes only.
Your site content loading is blocked - what should you do?
Content Security Policy (CSP) HTTP Header is a response security header. This header is a part of the Shield's HTTP Headers feature. Based on its settings, it can happen that you are unable to edit your site content, or some content being missing - CSP is blocking the content loading. There's nothing to worry about as this is CSP's normal behavior - it tries to protect your site content loading from the malicious sources.
So, when it happens that something is blocking your site content loading, the first thing to do is to determine exactly what's being blocked - use your Console on your web browser for that.
Example
We set the following security headers directives:
We set ' self ' directive for the CSP security header, which means "only permit content loaded from the site host" - block all other sources.
Here is an example of the content blocked due to the ' self ' security directive (Web Console blocking errors screenshot)
As we can see, the font source "http://fonts.gstatic.com" is blocked because it violates the CSP ' self ' directive we set with CSP security header.
How to unblock this source
To unblock this source, we just need to whitelist it by using the option " Permitted Hosts and Domains".
Here is an additional example (the same CSP security headers directives set)
Web Console displays the following blocking error:
"Content Security Policy: The page’s settings blocked the loading of a resource at http://0.gravatar.com/avatar/fd24ef1test?s=26&b=mm&r=g (“default-src https://testsite.com data: 'unsafe-inline' 'unsafe-eval'”)."
Blocking error explanation:
We've whitelisted our domain as a trustful images loading source "https://testsite.com":
Images loading from all other sources will be blocked, including the source http://0.gravatar.com.
To solve this blocking error, review the http://0.gravatar.com source, and if it's trustful, whitelist it by adding 0.gravatar.com into the "Permitted Hosts and Domains" field:
After whitelisting, the source will be included in the CSP security response headers directives - content loading from "0.gravatar.com" domain will be allowed:
"Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' 0.gravatar.com;"
Important: Always whitelist the trustful sources only.
Note: If you're unfamiliar with all of the above, you may have to disable the CSP.