Andrea
|
We have a website with Content Security Policy (CSP) enabled. The page to enable the Advanced Translation Editor seems to be unable to load text from your servers because of CSP, and shows variable names instead.
We found on https://wpml.org/changelog/2021/07/wpml-4-4-11-wordpress-5-8-features-and-stability-improvements/ that we should "whitelist ams.wpml.org or *.wpml.org in your Content Security Policy rules", but... Which rules?
To load text in that page, it seems it would be enough to add "ams.wpml.org" to the "connect-src" rule. Are there other rules to edit in order to avoid CSP issues?
Thanks
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Hello,
Whitelisting domains like "ams.wpml.org" refer to that the site can not communicate with our servers due to your firewall settings.
Make sure that the following domains are not getting blocked:
wpml.org
cdn.wpml.org
api.wpml.org
api.toolset.com
cloudfront.net
You can see details about communication issues at WPML > Support > Installer Support (Link at the bottom of the page).
Best regards
Andreas
|
Andrea
|
We should reduce to the minimum the domains allowed by CSP, otherwise we will make it ineffective and useless. For example I don't think allow all content from everyone on cloudfront.net is a good idea.
Moreover we must know to what rules add the domains: in CSP knowing just the domain to allow is not enough.
Adding "ams.wpml.org" to the "connect-src" rule, we were able to see the text, but trying to activate the Advanced Translation Editor, a script from "js.stripe.com" was blocked by CSP
According to Stripe documentation at hidden link (you can take it as an example of a good CSP integration documentation) we should add also:
connect-src hidden link hidden link
frame-src hidden link hidden link
script-src hidden link hidden link
So, for WPML, what are the CSP rules needed? I think you should ask to the developers if it's not already in your documentation (i just found a mention of CSP at https://wpml.org/changelog/2021/07/wpml-4-4-11-wordpress-5-8-features-and-stability-improvements/ but as I said before this is incomplete)
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
We do have the following documentation for this topic:
https://wpml.org/faq/wpml-plugin-cannot-connect-to-wpml-org/
Even if WPML uses Stripe to charge for automatic credits or uses Cloudfont as CDN, take note that questions in regards to Stripe or Cloudflare are not a WPML topic that could be answered inside this forum. We do further not have any influence on their domains.
I could consult our second-tier support if there might be a more specific Cloudfont domain that you could whitelist.
Is this what you are looking for?
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Der Second Tier Support hat mir mitgeteilt, dass man Cloudfont generell auf die Whitelist setzen muss, da sich deren globale IP's ständig ändern.
|
Andrea
|
The link you posted does not apply to our case. It refers to server-side inclusion and not to client-side inclusion as the ones done by the "Advanced Translation Editor" activation page
I suggest you to forward this issue to your developers
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Hello,
Which screen are you referring to with "Advanced Translation Editor" activation page?
Please send me a screenshot.
Further, I would like to have a closer look at the site. Would this be possible? Before I escalate this issue to our second-tier support which then needs to determine further steps I need to have a full picture of the issue.
Why do you think that this is an issue for our developers?
There are simply specific domains that need to be whitelisted when CSP is used and there is possibly nothing we could do to prevent CSP from blocking those IPs.
|
Andrea
|
For the "Advanced Translation Editor" activation page, I refer to the "Tools" tab, at
/wp-admin/admin.php?page=tm%2Fmenu%2Fmain.php&sm=ate-ams
The attached screenshot shows how it looks with CSP enforced.
I think I have described enough the issue. If you don't understand what is CSP and how it works, please just escalate to second level.
As stated on https://wpml.org/changelog/2021/07/wpml-4-4-11-wordpress-5-8-features-and-stability-improvements/ it should be enough to whitelist ams.wpml.org, but I found out that also Stripe should be whitelisted
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
I do not have any issue with understanding the following:
Google is now encouraging webmasters to enable Content Security Policy (CSP). This server feature blocks websites from loading 3rd-party JavaScript. In the case of WPML, it causes conflicts with our Advanced Translation Editor.
WPML 4.4.11 changes the way we load JavaScript, so WPML and the Advanced Translation Editor will continue working normally with and without CSP. If you are enabling CSP, we recommend that you also whitelist ams.wpml.org or *.wpml.org in your Content Security Policy rules. However, even if you don’t, WPML will work normally.
Did you whitelist the following domains?
wpml.org
cdn.wpml.org
api.wpml.org
api.toolset.com
cloudfront.net
Take note, that the block post further asks for whitelisting all our subdomain:
*.wpml.org
As mentioned earlier, Stripe needs to be enabled as it is used by us to process payment for the Pay-As-You-Go-Subscription.
Can you please test if whitelisting the requested Stripe API's solves the issues?
|
Andrea
|
What is the purpose of whitelist these domains on CSP?
AND MOST IMPORTANTLY, FOR WHAT CSP RULES SHOULD WE WHITELIST EACH DOMAIN?
As I said above please refer to hidden link for a good example of CSP documentation, that should be integrated in your future documentation as you use Stripe
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Thank you for the guide - this topic is new to me and I have been working on WPML support for more than five years. There are not many customers yet sending requests regarding CSP.
Surly I can forward a request to our documentation team, but for now, the most important point would be to make your site run WPML as expected.
Please recreate the issue on the following test site and I will be glad to have a look into your code and try to find a solution:
One-Click-Login:
hidden link
Make sure to leave me a quick comment on this ticket, once you replicated the issue with a simple example.
|
Andrea
|
I can't replicate fully, as after the configuration, the advanced translation editor was already enabled.
In any case I uploaded a plugin that sets the CSP header using this function:
header('Content-Security-Policy: ' . implode(';', array(
"upgrade-insecure-requests",
"default-src 'self'",
"script-src 'self' 'unsafe-inline' 'unsafe-eval'",
"style-src 'self' 'unsafe-inline'",
"img-src data: blob: https:",
"font-src 'self' data:",
"connect-src 'self' blob:",
"media-src 'self' blob:",
"object-src 'self'",
"frame-src 'self'",
"worker-src 'self' blob:",
)));
Enabling this plugin, the page hidden link stops to load, and you should add some domains to the CSP rules to make it work again
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Thank you very much for your cooperation!
I will run some tests and then get back to you about this tomorrow.
If I can find a working solution, then I will escalate the issue to our documentation team or consult our second-tier support team for a solution.
|
Andreas W.
WPML Supporter since 12/2018
Languages:
English (English )
Spanish (Español )
German (Deutsch )
Timezone:
America/Lima (GMT-05:00)
|
Your hardcoded approach does not look like is working as expected and causes unexpected issues.
I suggest you use the free HTTP Headers plugin instead:
Guide:
hidden link
I implemented this plugin on the test site and I can not confirm the same errors.
|
Andrea
|
It works because the plugin fails to send the Content-Security-Policy http header on the test site.
It adds the instruction to the .htaccess file, but it seems to be ignored by Nginx.
|
