Recommended CSP policy for Brizy

Dustin Sippel

• July 31, 2020 03:32

I noticed that Brizy wasn't generating thumbs for saved blocks or when re-ordering blocks.

Inspecting the page I noticed CSP errors, for example: 

"Refused to connect to 'blob:https://[domain]/39a2a9de-01f0-43c9-9657-a6b848a050da' because it violates the following Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback."

I've updated the policy to: https://cspvalidator.org/#headerValue%5B%5D=upgrade-insecure-requests%3B+default-src+https%3A+data%3A+'unsafe-inline'+'unsafe-eval'%3B+connect-src+https%3A+blob%3A+'self'+https%3A%2F%2F*.brizy.io&strategy=intersection

This seems to work and thumbs are now generating, but I wonder if anyone can recommend specific settings for Brizy?

1

• 

  Dustin Sippel

  • August 19, 2020 03:58

  Nobody?

  0
• 

  Sandra Prunici

  • August 20, 2020 15:10

  Hi,

  I'm sorry for the late response. In the last weeks, we had a lot of work with the new updates. Actually this type of error should not be appearing on the site and we don't encounter it on other dashboards. Do you have the latest Brizy Free (2.0.6) and Brizy Pro (2.0.4) versions? It can happen also because of the WP general settings. Do you have the WP address and Site address set with the same URL and HTTPS https://jmp.sh/TB8Lh4y?

  Thanks!

  Best regards,
  Sandra

  0

Please sign in to leave a comment.