Content security policy issue

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	7:00 – 12:00	7:00 – 12:00	7:00 – 12:00	7:00 – 12:00	7:00 – 12:00	-
-	13:00 – 15:00	13:00 – 15:00	13:00 – 15:00	13:00 – 15:00	13:00 – 15:00	-

Supporter timezone: Europe/Madrid (GMT+01:00)

This topic contains 1 replies, has 0 voices.

Assisted by: Carlos Rojas.

Author	Posts
January 28, 2026 at 11:24 am #17770204
Emanuela	Hello! Our client recently sent us a report regarding content security policy issues. Here you can find the details: Directive: default-src Issue 1: unsafe-inline allows the execution of unsafe in-page scripts and event handlers. Issue 2: unsafe-eval allows the execution of code injected into DOM APIs such as eval(). Issue 3: https: URI in default-src allows the execution of unsafe scripts. We noticed that the CSP policies also affects WPML. Have you already worked on these security issues? Do you have an hook we can use to set a nonce or hash to styles and scripts generated by your plugins? Thanks, Emanuela
January 28, 2026 at 12:06 pm #17770382
Carlos Rojas WPML Supporter since 03/2017 Languages: English (English ) Spanish (Español ) Timezone: Europe/Madrid (GMT+01:00)	Hi Emanuela, This is the forum ticket where we will continue working on this issue. I have set your next message private so you can securely share the access credentials to the site. Looking forward to your message. Regards, Carlos