WordPress + Disqus + refused executing inline script

I’ve loaded Disquss on my WordPress website, which is running on HTTPS. The problem is that while the comments are shown at the bottom of the webpage, they are white (and since the background of the page is also white, they are not visible).

If I open Inspector in Chrome, the following error is printed to the Console tab.

Read More
    Refused to execute inline script because it violates the following
 Content Security Policy directive: "script-src https://*.twitter.com:* 
https://api.adsnative.com/v1/ad.json *.adsafeprotected.com *.google-analytics.com https://glitter-services.disqus.com 
https://*.services.disqus.com:* disqus.com http://*.twitter.com:* 
a.disquscdn.com api.taboola.com referrer.disqus.com *.scorecardresearch.com 
*.moatads.com https://admin.appnext.com/offerWallApi.aspx 'unsafe-eval' 
https://mobile.adnxs.com/mob *.services.disqus.com:*". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
 to enable inline execution.

This happens because of the Popup Blocker Extension in Chrome, but I would like to enable it with content security policy: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . Basically, the error occurs in the chrome-extension://* scheme, so I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.

How should I disable the security policy for chrome extensions?

Related posts

Leave a Reply

2 comments

  1. This isn’t something you can (or should) meaningfully solve. It’s up to the extension vendor to properly implement themselves. The fact is the extension is attempting to inject inline code and it’s being stopped by the Content Security Policy because the CSP is made to block it. As it should, since the extension is indistinguishable from malware from it’s perspective.

    You could (but should not) simply add rules to your site’s Content Security Policy to allow the extension to run…but this is potentially dangerous, incredibly case-specific, and should basically only ever be done in an enterprise context in which everyone has a (poorly coded) browser extension that is required to work with your site. And even then re-coding the extension would generally be preferred.

  2. How should I disable the security policy for chrome extensions?

    Not. Additionally you can not.

    I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.

    The CSP of extensions is part of the (local) extension.

    while the comments are shown at the bottom of the webpage, they are white
    Sounds like a matter of CSS to me … what about color: black; for your text?

    Or short: Websites are not able to mess with extensions. Which is good – I don’t want facebook to disable my CSP and send my personal porn preferences (from PornLiner addon) to my profile.