Add CSP (Content Security Policy) header support to Elementor

[vdefives]

Prerequisites

• [x] I have searched for similar features requests in both open and closed tickets and cannot find a duplicate.
• [x] The feature is still missing in the latest stable version of Elementor ( Elementor Pro. )

What problem is your feature request going to solve? Please describe. Hello, 
 CSP (Content Security Policy)  header is a very strong security measure designed to avoid malicious actions on website. It is especially designed to avoid XSS injections. https://content-security-policy.com/
 
 The goal of CSP header is to explicitly declare every assets (including inline scripts, script files, css, font ...) that should be used by a page. The browser will then refuse to use any other assets.
 
 I see that Elementor team and several users manifested their interest into this but the main problem was that inline JS script must be generated dynamically by Elementor. So it was impossible to whitelist inline script using SHA256 (Ticket 5833 and 3713)

Fortunately, Wordpress Core 5.7 did a few changes and added a few functions especially designed to help plugin developer to support CSP ! https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/ 
 Those functions allow you to include inline js the proper way and let the user add a nonce to every js script included this way (using the wp_script_attributes filter). This nonce can now be used to implement CSP without an unclean 'unsafe-inline' enabled.

Describe the solution you'd like

I would like Elementor to use the new functions to get or print inline JS such as :

$js_inline = 'var ElementorTrySafeMode = function() {
			[...];'

wp_print_inline_script_tag($js_inline);

instead of printing the JS script directly :

<script>
			var ElementorTrySafeMode = function() {
			[...]
</script>

Describe alternatives you've considered The alternative solutions already considered are described in the ticket 5833 (https://github.com/elementor/elementor/issues/5833) (opened before WP 5.7 was released) :

• externalize inline js script
• make inline js script static

But this seems really hard to set up.

Additional context I am really looking forward to see CSP integrated perfectly with Elementor and Elementor Pro and think this would be a great step for Wordpress security. Don't hesitate to answer this ticket if I can help you with anything.

[shimsa]

+1

[Nincha]

Very +1 :)

[webastra-fr]

Agree !! +1

[Code-Bear]

How is this not implemented yet?! The devs haven't even commented on this? So we can basically conclude that all sites running Elementor are vulnerable to XSS injections. How is this not a bigger deal for people!

[pauserratgutierrez]

@DorShahar

[mercadder]

Lighthouse score for best practices brought me here.

[estlacksensory]

November 2022. Still an issue. This error popping up on iOS 14 and later (at least). Causing page loads to hang up. I thought I might be able to go into "advanced" tab and add some key value pairs to trigger a script, but I found this thread. Doesn't seem to be affecting other browsers, maybe has something to do with Safari's security enhancements?

These scripts are throwing an error: /plugins/elementor-pro/assets/js/frontend.min.js /plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js /plugins/elementor/assets/js/frontend.min.js

[Shad0wGeneral]

Safari from a certain version uses CSP exclusively hence you'll get those errors cause Elementor doesn't support it. Which given the fact its 2022 going 2023 and Cyber security is at the forefront of every devs mind this is something that should have been added ages ago.

[seni04]

Waiting for elementor to update this CSP Header

[EXECdesign]

+1

[KHcreative]

This is unacceptable! For years now, we've been waiting for Elementor to care (more) about security.

There are things that would be nice to have, things needed to do a good job without extensive coding (after all, that's what a page builder is used for), and then there are the must-haves. A page builder that makes it impossible to implement a proper CSP (aside from Content-Security-Policy: frame-ancestors ‘self’ ) is simply a no-go. I considered moving away from Elementor a few months back because of this very reason. What kept me with Elementor (for now) is the rapid pace of improvements within the past year. They are showing us they want and can improve by listening to their customers, and that gives me hope.

Some Elementor bugs are annoying, but that's something one can work with. Being unable to properly protect your own and your customer's websites... Elementor has to take this seriously and act now!

[bilbofrodo]

Spoke to Elementor and they said their developers are currently working on this. No ETA. Hope it's soon though.

[krlabs]

The problem of the inability to implement strict CSP through Elementor has been going on for a long time. It is time to implement this feature. We are all waiting for it.

[NWTrailers]

+1

[rob-j-oliver]

+1. Elementor could gain a lot of respect if they solved this particular issue.

[akanshagoyal1994]

Any updates on this? Did Elementor team sort this issue ?

[michaelkasede]

Hi Elementor Team, any update or progress on the suggestion to implement JS scripts in a way that supports adding CSP headers to wordpress?? We are all unable to apply security controls using CSP.

[Grittendor]

Where do i add these new functions? .htaccess? I don't have access to the editor and it just sits there and spins. I spoke to the tier 2 Elementor support team and they said the reason I don't have access to the editor is because of Strict CSP. This is severely hurting my business not being able to edit my site.

[bilbofrodo]

@Grittendor

I added mine to .htaccess which you can normally access via your hosting provider, if you've not done this before, you can break your site by adding security headers. I would suggest making a copy of your .htaccess so you can always revert to the original, if a header doesn't work. For myself it was a lot of trial and error in knowing what worked and what didn't. Add a new header at a time, test the site and look at web inspector for any warning issues. Hope this helps

[krlabs]

How is this not implemented yet?! The devs haven't even commented on this? So we can basically conclude that all sites running Elementor are vulnerable to XSS injections. How is this not a bigger deal for people!

Yesterday, on 11.04.2024, our website was attacked by russian Internet scammers and fraudsters. They exploited Elementor vulnerabilities, namely the lack of CSP Header, and performed an XSS injection by changing the Elementor CSS Layout. The Elementor team has simply given up on cybersecurity and is putting its users at risk.

[TOTLD]

Have just had an Elementor site flagged as a security risk by a client's IT department for a total lack of protection around XSS injections. It seemingly puts the Elementor forms at risk of cross-site request forgery too, and there is no native method to tokenize forms.

The solution, in part, seems to be in OP's post. Has anyone heard anything from the dev team about this recently? Seems to be a major problem, particularly entering the age of AI as a website exploit tool. @krlabs did you report your breach directly to Elementor and flag XSS injection as the weak point?

We have been moving sites from other builders to consolidate with Elementor over the last 18 months, but may need to re-think that moving forward. Maybe we can get someone from Elementor team to actually respond to this thread...

[KHcreative]

It is truly astounding how long this takes to fix. Frankly, I don't think they are even working on it at this point.

The way I protect the websites I take care of (around 96% of them are build with Elementor at this point), is by using NinjaFirewall. My CSP header is not as good as it good be (obviously given the restraints) but at least XSS injection attempts are sanitized.

[sngm]

@kobizz @KingYes Please finally do something about this problem. We are all waiting for it! It's unbelievable how long you're taking for such an important feature. Security is the most important thing for a website, not just since this year.

[TOTLD]

I raised this as a "security issue" through Elementor Pro support where team-member Eliahu responded that it is not a proven bug and therefore is out of scope.

I replied that it is not a bug report, it is a glaring security issue, and have had no response since last week about the question: is it even being worked toward?

This thread finally got tagged by a mod so fingers crossed we might have an update soon...

[rob-j-oliver]

I raised this as a "security issue" through Elementor Pro support where team-member Eliahu responded that it is not a proven bug and therefore is out of scope.

I replied that it is not a bug report, it is a glaring security issue, and have had no response since last week about the question: is it even being worked toward?

This thread finally got tagged by a mod so fingers crossed we might have an update soon...

Lets hope so, although it frightening a team-member responded that it is not a proven bug and therefore is out of scope.

I wonder if Elementors sudden jump on "speed" was previously seen as a proven bug, until it was clear it was hitting sales?