Content security policy - different behaviour windows vs linux

Question

I have a wordpress website that runs on a LAMP system.

I tried to improve security (I'm far from being an expert!) and added a CSP header.

Header  set Content-Security-Policy "default-src 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src 'self' https://secure.gravatar.com; script-src 'self' 'unsafe-inline' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'"

What I don't understand: If I remove the unsafe-inline from the script-src my calendar widget does not load anymore on a windows browser (tested both firefox and chrome). But it works on a Linux browser (Firefox).

Is this a bug in apache2, in the windows browsers or in the calender wp plugin?

I'm confused. :-)

Answer 1

It doesn't look like an Apache bug, it just sends the CSP as a string without even understanding what's in it.

Of course you can use some User Agent conditions in the httpd.conf like:

SetEnvIfNoCase User-Agent "Linux x86_64" noCSP=1

and to publish CSP relying on noCSP flag to exclude CSP header for some kinds od user agents.
But you can easily clarify that and ensure you have the same CSP header for the Windows/Linux browsers.

I think a WP calendar plugin uses some inline scripts which are blocked in absence of 'unsafe-inline'. You can check accourding CSP errors in the browser console of windows browser.

Maybe you disabled CSP in your Linux Firefox browser (about:config page -> security.csp.enable -> false) or have some extensions which disable CSP.

Answer 2

So the different Windows/Linux behaviour comes from the Laboratory plugin that was running in my Linux Firefox. I have to check with the plugin author why unsafe-inline is required.