前言介紹
- 這款 WordPress 外掛「No unsafe-inline」是 2022-03-24 上架。
- 目前有 200 個安裝啟用數。
- 上一次更新是 2024-09-29,距離現在已有 217 天。
- 外掛最低要求 WordPress 5.9 以上版本才可以安裝。
- 外掛要求網站主機運作至少需要 PHP 版本 7.4 以上。
- 有 5 人給過評分。
- 論壇上目前有 4 個提問,問題解答率 25%
外掛協作開發者
外掛標籤
csp | security | multisite | unsafe-inline | content security policy |
內容簡介
內容安全策略(Content Security Policy, CSP)是一種計算機安全標準,旨在防止跨站腳本(XSS)、點擊劫持及其他代碼注入攻擊,在信任的網頁上下文中執行惡意內容。
跨站腳本(XSS)是一種存在於某些 Web 應用程式中的安全漏洞。
XSS 攻擊使攻擊者能夠將客戶端腳本注入到其他使用者查看的網頁中。
跨站腳本漏洞可被攻擊者用於繞過訪問控制,如同源策略。
根據由美國 NIST 主持的國家漏洞數據庫(National Vulnerability Database),報告有超過 1600 個 Xss 微型化字型名稱 Plugins 和主題的漏洞。
保持網站與最新版本的外掛和主題同步是確保網站安全的第一道防線。
第二步要做的是部署嚴格的內容安全策略。
主要問題
實際執行的內容安全策略的主要問題在於它們對保護您的網站來說太弱,並且它們中的許多策略可以輕易地被攻擊者繞過。
提出的解決方案
Google 研究人員建議,除了整個主機白名單之外,藉由 CSP nonce 方法啟用個別腳本。
此外,為了促進 nonce CSP 的採用,他們提出了“strict-dynamic”關鍵字。
WordPress 中 CSP 的問題
手動創建策略
通常,WordPress 項目是由不同作者編寫的程式碼組合而成,他們貢獻於核心,或編寫了插件和主題。
如果可以為包含在
以及在 script-src 指令:
script-src 'nonce-rAnd0m';
當然,每個 HTTP 響應都必須是唯一的 nonce。
不安全的哈希 / 內聯樣式表
有時,HTML 元素,如圖像或按鈕,使用 HTML 事件屬性 (onclick、onsubmit…) 來讓事件觸發瀏覽器中的操作。
原文外掛簡介
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications.
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy.
Looking at National Vulnerability Database run by US NIST, more than 900 (March 2024) vulnerabilities are reported as XSS for WordPress’ plugins and themes.
Keeping your site up-to-date with the latest versions of plugins and themes is the first line of defense to ensure your site’s security.
The second thing to do, is to deploy a strict Content Security Policy.
The main problem
The main problem with Content Security Policies implemented in the real world is that they are too weak to really protect your site and that many of them can be trivially bypassed by an attacker.
The proposed solution
Google researchers recommend, instead of whole host whitelisting, to activate individual scripts via a CSP nonces approach.
In addition, in order to faciliatate the adoption of nonce-based CSP, they proposed the ’strict-dynamic’ keyword.
The problem(s) with CSP in WordPress
Manual creation of a policy
Usually, a WordPress project is a mix of code written by different authors who contributed to the Core and or wrote plugins and themes.
If it is possible to whitelist every external script loaded from a
Inline scripts WordPress core, and plugins use inline scripts. For these scripts, you can compute hashes to be inserted manually into your policy, only if these scripts do not change at any page load. Unfortunately, this is not very common as it is frequent to include variable values calculated server side in inline scripts. And it means that your inline scripts change too frequently to manually add their hashes to your policy. This commonly happens when scripts are “localized”.
WordPress has no API to implement nonces for CSP Even if it is easy to generate a nonce for each page view, this nonce has to be inserted in every script tag used to embed inline scripts in your page as
and in your script-src directive:
script-src 'nonce-rAnd0m';
And, of course, a nonce must be unique for each HTTP response.
Unsafe hashes / Inline styles
Sometimes, HTML elements as images or buttons use HTML Event Attributes (onclick, onsubmit…) to let events to trigger actions in a browser.
You cannot use hashes or nonces for script included in event attributes and, adopting a strict CSP, requires refactoring those patterns into safer alternatives or to use ‘unsafe-hashes’.
You got a similar problem when inline styles are used in HTML tags:
This is a heading
This is a paragraph.
CSP Level 2 browsers may be ok with just putting the hash in your style-src directive. However, to allow hashes in the style attribute on inline CSS on browsers that support CSP Level 3, you may get an error like this
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='". Either the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution.
To allow inline styles you need to use ‘unsafe-hashes’ in your style-src directive (that is, in facts, unsafe).
^
This plugin approach
This plugin affords those problems in this way:
During a capture phase, it detects the scripts, styles and other embedded content present in the pages of your site and stores them in the database.
Then you have to whitelist these contents from plugin admin.
The plugin uses machine learning to cluster inline scripts trying to aggregate scripts generated by the same server side (PHP) code. So, you can authorize one script example to authorize all scripts that the classifier predicts to label as whitelisted clusters.
You can choose to use hashes to authorize external scripts (and the plugin will allow you to include Subresource Integrity in your
The plugin supports multisite installations and has (too) many options documented in inline help. Creating a Content Security Policy After plugin activation, go to Settings menu and search for CSP Settings submenu. The steps you are supposed to do are the following.
From the Tools tab, activate the capture of the tags and use your site by visiting all the pages or making them visits from your users for a long time long period based on the use of your site (hours or days). From the Tools tab perform the data clustering in the database (it can use many server resources). Go to the Base rules tab and include in the CSP directives the desired values (help you with the table at the bottom of the page). Go to to external scripts tab, inline scripts tab and scripts invoked by event handlers tab and authorize the execution of all the legitimate scripts present on the pages of your site. Leaving the tag capture active, activate the policy test (at this stage the plugin will generate some violations of the temporary policy used to record additional values to be included in the directives of your “content security policy”). After visiting again your site pages, disable the capture of the tags and repeat the previous steps 2, 3 and 4. Enable site protection.
N.B. When you update plugins or themes, if something doesn’t work properly on your site pages, temporarily deactivate the protection and repeat steps 1 to 7. Code and libraries This version of the plugin uses: * ivopetkov/HTML5DOMDocument to parse HTML; * RubixML for machine learning from version 1.1.0 – PHP-ML was used in versions 1.0.x; * opctim/php-nilsimsa to calculate and compare Nilsimsa digests. The log functions have been taken from * perfectyorg/perfecty-push-wp, something you should really try if you want to implement web Push notifications in your site. The complete list of dependencies used in this plugin can be seen in dependency graph on GitHub. Contributions, Issues, Bugs Plugin code is hosted on a public repository on GitHub. Reach me over there to help and suggest.
各版本下載點
- 方法一:點下方版本號的連結下載 ZIP 檔案後,登入網站後台左側選單「外掛」的「安裝外掛」,然後選擇上方的「上傳外掛」,把下載回去的 ZIP 外掛打包檔案上傳上去安裝與啟用。
- 方法二:透過「安裝外掛」的畫面右方搜尋功能,搜尋外掛名稱「No unsafe-inline」來進行安裝。
(建議使用方法二,確保安裝的版本符合當前運作的 WordPress 環境。
1.0.0 | 1.0.1 | 1.0.2 | 1.1.0 | 1.1.1 | 1.1.2 | 1.1.3 | 1.1.4 | 1.1.5 | 1.2.0 | 1.2.1 | 1.2.2 | trunk |
延伸相關外掛(你可能也想知道)
Wordfence Security – Firewall, Malware Scan, and Login Security 》fective way to manage multiple WordPress sites with Wordfence installed from a single location., Monitor security status across all your sites from...。
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) 》le Plugins include Complianz GDPR, Disable Updates Manager, and Really Simple CAPTCHA., , Really Simple SSL是一個外掛,自動配置你的網站最大程度上使...。
Jetpack – WP Security, Backup, Speed, & Growth 》search engines, and grow your traffic with Jetpack. It’s the ultimate toolkit for WordPress professionals and beginners alike., , Customize and des...。
Hostinger Tools 》- Hostinger Onboarding WordPress Plugin 简化和加快了WordPress网站的设置过程。, - 提供了简便和快速的方式来建立WordPress网站。。
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall 》Limit Login Attempts Reloaded 是一款WordPress外掛,可阻止暴力破解攻擊並透過限制常規登錄、XMLRPC、Woocommerce和自訂登錄頁面的登錄嘗試次數來優化您的...。
ManageWP Worker 》, Want to clone or migrate your WordPress website to a new host or domain? No problem! With ManageWP, you can easily clone or migrate your website ...。
Security Optimizer – The All-In-One Protection Plugin 》透過精心挑選且易於配置的功能,SiteGround Security 外掛提供了您所需的一切來保護您的網站並預防多種威脅,例如暴力破解攻擊、登錄錯誤、資料外洩等等。, ...。
Safe SVG 》Safe SVG 可以讓你安心地在 WordPress 中上傳 SVG 檔案!, 它能夠讓你允許上傳 SVG 檔案的同時,確保它們已經經過消毒以防止 SVG/XML 弱點影響你的網站。此外...。
Loginizer 》Loginizer 是一個 WordPress 外掛,可幫助您對抗暴力攻擊,當 IP 地址達到最大重試次數時,該外掛會阻止其登錄。您可以使用 Loginizer 將 IP 地址列入黑名單...。
All-In-One Security (AIOS) – Security and Firewall 》vated to your website, All-in-One Security's WAF will detect and block hacking attempts, adding an extra layer of security to your WordPress site. ...。
Solid Security – Password, Two Factor Authentication, and Brute Force Protection 》ing iThemes Security Plugin can benefit you:, 保護您的 WordPress 網站的最佳外掛程式, 平均每天有 30,000 個網站遭受駭客攻擊,在網路上每 39 秒就會有一...。
User Role Editor 》「User Role Editor」WordPress 外掛讓您輕鬆更改使用者角色和權限。, 只需打開您希望新增到所選角色的能力核取方塊,然後按「更新」按鈕以保存您的更改。完...。
Sucuri Security – Auditing, Malware Scanner and Security Hardening 》Sucuri Inc. 是全球公認的網站安全權威,專門為 WordPress 安全提供專業知識。, Sucuri Security WordPress 擴充套件對所有 WordPress 使用者免費提供。它是...。
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites 》這是一個針對「MainWP Dashboard」的子外掛程式,可將您的 WordPress 網站連接至 MainWP Dashboard。, MainWP是一個完整的 WordPress 管理解決方案,是自助...。
SiteGuard WP Plugin 》版本: 1.6.7, , 您可以在日文網頁和英文網頁上找到文件、常見問題和更詳細的資訊。 , 安裝SiteGuard WP Plugin後,WordPress安全性會得到提高。, 本外掛是一...。