[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Mon Aug 6 16:15:23 UTC 2018
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-------------------------+--------------------------
Comment (by giuse):
I suppose you mean if an attacker is able to injects a script using a
WordPress function as wp_add_inline_script. In that case no CSP can help,
if an attacker was able to do that, he can do what he wants. Or what do
you mean? Of course the filter has to work only if the scripts are
introduced by a WordPress function, in no other cases.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list