This thread is resolved. Here is a description of the problem and solution.
Problem:
If you're experiencing issues with the Advanced Translation Editor not loading text from our servers due to Content Security Policy (CSP) restrictions, and it's showing variable names instead, you might need to adjust your CSP rules.
Solution:
We recommend adding "ams.wpml.org" to the following CSP rules to ensure proper functionality of WPML's Translation Management:
connect-src https://ams.wpml.org
style-src https://ams.wpml.org
script-src https://ams.wpml.org
Please note that as this is an advanced development topic, the developer implementing CSP should be responsible for whitelisting all required APIs. We can only take responsibility for our APIs in this matter.
Keep in mind that this solution might be irrelevant if it's outdated or not applicable to your case. If after trying these steps you're still facing issues, we highly recommend checking related known issues, verifying the version of the permanent fix, and confirming that you have installed the latest versions of themes and plugins. If the problem persists, please open a new support ticket with us.
This is the technical support forum for WPML - the multilingual WordPress plugin.
Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.
We have a website with Content Security Policy (CSP) enabled. The page to enable the Advanced Translation Editor seems to be unable to load text from your servers because of CSP, and shows variable names instead.
To load text in that page, it seems it would be enough to add "ams.wpml.org" to the "connect-src" rule. Are there other rules to edit in order to avoid CSP issues?
We should reduce to the minimum the domains allowed by CSP, otherwise we will make it ineffective and useless. For example I don't think allow all content from everyone on cloudfront.net is a good idea.
Moreover we must know to what rules add the domains: in CSP knowing just the domain to allow is not enough.
Adding "ams.wpml.org" to the "connect-src" rule, we were able to see the text, but trying to activate the Advanced Translation Editor, a script from "js.stripe.com" was blocked by CSP
According to Stripe documentation at hidden link (you can take it as an example of a good CSP integration documentation) we should add also:
connect-src hidden linkhidden link
frame-src hidden linkhidden link
script-src hidden linkhidden link
Even if WPML uses Stripe to charge for automatic credits or uses Cloudfont as CDN, take note that questions in regards to Stripe or Cloudflare are not a WPML topic that could be answered inside this forum. We do further not have any influence on their domains.
I could consult our second-tier support if there might be a more specific Cloudfont domain that you could whitelist.
The link you posted does not apply to our case. It refers to server-side inclusion and not to client-side inclusion as the ones done by the "Advanced Translation Editor" activation page
I suggest you to forward this issue to your developers
Languages: English (English )Spanish (Español )German (Deutsch )
Timezone: America/Lima (GMT-05:00)
Hello,
Which screen are you referring to with "Advanced Translation Editor" activation page?
Please send me a screenshot.
Further, I would like to have a closer look at the site. Would this be possible? Before I escalate this issue to our second-tier support which then needs to determine further steps I need to have a full picture of the issue.
Why do you think that this is an issue for our developers?
There are simply specific domains that need to be whitelisted when CSP is used and there is possibly nothing we could do to prevent CSP from blocking those IPs.
Languages: English (English )Spanish (Español )German (Deutsch )
Timezone: America/Lima (GMT-05:00)
I do not have any issue with understanding the following:
Google is now encouraging webmasters to enable Content Security Policy (CSP). This server feature blocks websites from loading 3rd-party JavaScript. In the case of WPML, it causes conflicts with our Advanced Translation Editor.
WPML 4.4.11 changes the way we load JavaScript, so WPML and the Advanced Translation Editor will continue working normally with and without CSP. If you are enabling CSP, we recommend that you also whitelist ams.wpml.org or *.wpml.org in your Content Security Policy rules. However, even if you don’t, WPML will work normally.
What is the purpose of whitelist these domains on CSP?
AND MOST IMPORTANTLY, FOR WHAT CSP RULES SHOULD WE WHITELIST EACH DOMAIN?
As I said above please refer to hidden link for a good example of CSP documentation, that should be integrated in your future documentation as you use Stripe
Languages: English (English )Spanish (Español )German (Deutsch )
Timezone: America/Lima (GMT-05:00)
Thank you for the guide - this topic is new to me and I have been working on WPML support for more than five years. There are not many customers yet sending requests regarding CSP.
Surly I can forward a request to our documentation team, but for now, the most important point would be to make your site run WPML as expected.
Please recreate the issue on the following test site and I will be glad to have a look into your code and try to find a solution:
One-Click-Login: hidden link
Make sure to leave me a quick comment on this ticket, once you replicated the issue with a simple example.
