Content Security Policy (CSP) HTTP Header is a response security header. This header is a part of the Shield's HTTP Headers module. Based on its settings, it can happen that you are unable to edit your site content, or some content being missing - CSP is blocking the content loading. There's nothing to worry about as this is CSP's normal behavior - it tries to protect your site content loading from the malicious sources.
So, when it happens that something is blocking your site content loading, the first thing to do is to determine exactly what's being blocked - use your Console on your web browser for that.
How to unblock your site content loading
We set the following security headers directives:
We set ' self ' directive for the CSP security header, which means "only permit content loaded from the site host" - block all other sources.
Here is an example of the content blocked due to the ' self ' security directive (Web Console blocking errors screenshot)
As we can see, the font source "http://fonts.gstatic.com" is blocked because it violates the CSP ' self ' directive we set with CSP security header.
How to unblock this source
To unblock this source, we just need to whitelist it by using the option "Permitted Hosts and Domains". (See here)
Here is an additional example (the same CSP security headers directives set)
Web Console displays the following blocking error:
"Content Security Policy: The page’s settings blocked the loading of a resource at http://0.gravatar.com/avatar/fd24ef1test?s=26&b=mm&r=g (“default-src https://testsite.com data: 'unsafe-inline' 'unsafe-eval'”)."
Blocking error explanation:
We've whitelisted our domain as a trustful images loading source "https://testsite.com":
Images loading from all other sources will be blocked, including the source http://0.gravatar.com.
To solve this blocking error, review the http://0.gravatar.com source, and if it's trustful, whitelist it by adding 0.gravatar.com into the "Permitted Hosts and Domains" field. (See the screenshot below)
After whitelisting, the source will be included in the CSP security response headers directives - content loading from "0.gravatar.com" domain will be allowed:
"Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' 0.gravatar.com;"
Important: Always whitelist the trustful sources only.
Note: If you're unfamiliar with all of the above, you may have to disable the CSP. Please see here.
We also recommend you to read the following articles:
- How to whitelist sources of the approved content
- Secure your WordPress sites with the Content Security Policy HTTP Header
- What are HTTP Security Response Headers?