Envato Market WordPress Plugin: Strict Content Security Policy Header while allowing plugin to work

Hi, I am trying to create a strict Content Security Policy (CSP) in my Nginx configuration, and I want to be sure that any outside sources (possibly connect-src) that the Envato Market Wordpress plugin uses are included in my policy.

In my Nginx virtual hosts server block, I am starting off with the following strict Content Security Policy (Header):

add_header Content-Security-Policy "default-src 'self';

Is there anything that the Envato Market Wordpress Plugin uses that isn’t included in ‘self’, that would need to be included in a strict content security policy header?

If so, could you please tell me what else I need to include in my Nginx header (specifying img-src rules, style-src rules, script-src rules, connect-src rules, and any other etc-src etc-src rules to keep a strict CSP while still allowing the plugin to be fully functional? Thanks so much for any help!

The only thing you should need to whitelist are the thumbnails. The plugin’s other assets should be local and any additional interactions will be server-side.

img-src 'self' *.envato.com;

It might be worth adding this to a location block scoped to wp-admin instead of the entire website.

By the way, the add_header code snippet you posted is broken – you didn’t close the quotes. It might also be worth adding the always parameter to the end.

add_header Content-Security-Policy "default-src 'self'; img-src 'self' *.envato.com;" always;