Our typical approach with security headers with all our WordPress sites is to use the Security Headers plugin, which allows for modification to CSP (or other headers, as needed).

A security team of one of our clients has highlight that ‘script-src’ has no value and it needs to have one.

Guidance to do this on WordPress, usually, is to add ‘unsafe-inline’, but while this will get rid of their error message, it kills the CSP. That seems silly to me. In fact, this security company has provided a CSP they approve of, which has ‘self’, then whitelisted domains, and then also has ‘unsafe-inline’ and ‘unsafe-eval’ in them, which I think makes the whole thing quite pointless, does it not?

However, adding ‘self’ and then attempting to whitelist domains or add hashes (I retrieved them for Google Inspect tool on the front end) just seems to annihilate site functionality.

Even if the front end looks mostly fine, the admin area just couldn’t function with that CSP in place, because scripts got blocked.

It seems to me that a script-src value is only going to break the site. I can’t possibly whitelist everything in a WordPress website with a whole bunch of plugins.

I have no clue about the nonce option, but that doesn’t seem like that would work either.

Initially, I thought I’d see if ‘self’ works, but this busted up the site.
I then found some domains to highlight (from Inspect tool) and added these.

upgrade-insecure-requests; script-src 'self' www.google-analytics.com ajax.googleapis.com

This still created blocked issues in front end, so I found all highlighted items and took the hash codes that Google Inspect tool offered.

upgrade-insecure-requests; script-src 'self' www.google-analytics.com ajax.googleapis.com 'sha256-X4Lw680O3vHDfcugCTXZC2XBjSsINPznUu/llg5TLeM=' 'sha256-9/X26c8A4hhDm5l8PmjNQ136l7rnx1Gn9xXs2z3dup8=' 'sha256-rjfSUjIA2A20p4lATAefLLG7Fy7VJssnkJ+SnJ2TXNo=' 'sha256-8CDrIHh6tB5AzNP78jzvxel49L6+yhTXv9yQl1quuoM=' 'sha256-7Z3UDEMxIvz4kUrStwbwTbyERD+xdMIfqGziBlViKec=' 'sha256-RWn1w3BKiDlDNbD6vM1kYLpeWCwwWPkob0LMWJ2gKJk=' 'sha256-VCul/cF2dFzd8xHSgv56T++LLkqGRYiggGEIUSq4DYU=' 'sha256-eDY0GdqziCJi7b7uuFZSZ44JBq7FeofxZNhLkwTa2CA='

This resulted in a few display issues on front end (on just a maintenance page) but the WordPress admin area just couldn’t function at all, so I didn’t go any further. The Inspect tool showed 99+ errors, so my thinking is that it is just impossible to whitelist all domains that need to load script, in a WordPress website.

However, I don’t know where to obtain further domains to white list (dynamic?) as the errors in the Inspect tool don’t generally highlight the domain it was trying to retrieve a script form.

Thanks very much for your help.