WorPress Editor Won’t Load Content Anymore

Got this weird WordPress behaviour recently. While most pages load successfully, editing something – like a post or a page – will draw a blank browser tab. Zero content whatsoever. It has the same result for both Firefox and Chrome. Not tried on other browsers.

ANSWER

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'unsafe-inline'

This was the error that I got when I went into the page, opened developer tools, then reloaded the page.

Caused by additional custom Header policy on the web server of the website. Looks something like this:

Header set Content-Security-Policy "default-src 'unsafe-inline' 

Add ‘unsafe-eval’ to go around it. Use of eval() is usually considered bad practice and not secure hence it’s getting blocked until it is allowed by adding it into the policy. Now the Header will look like this after modifying it. Don’t forget to restart the web server.

Header set Content-Security-Policy "default-src 'unsafe-inline' 

More detailed explanations can be had here: https://scotthelme.co.uk/content-security-policy-an-introduction/

Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.

The script tag does have a nonce attribute.

enter image description here

As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute renders nonce useless.

Is my understand correct or am I missing something here ?

Go to Source
Author: Rahul