[wp-trac] [WordPress Trac] #45531: WP 5.0 and Gutenberg fails on sites with Content-Security-Policy set
WordPress Trac
noreply at wordpress.org
Sat Dec 8 01:55:08 UTC 2018
#45531: WP 5.0 and Gutenberg fails on sites with Content-Security-Policy set
--------------------------+-----------------------------
Reporter: fazalmajid | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
See also #39941
I have the security header:
{{{
Content-Security-Policy: script-src 'self' fathom.majid.org
}}}
set on my sites to prevent XSS attacks (fathom.majid.org is my whitelisted
web analytics).
The WP 5.0 and Gutenberg UI is peppered with inline <script> tags, that
are blocked by my browser with errors like:
{{{
Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self' fathom.majid.org". Either
the 'unsafe-inline' keyword, a hash
('sha256-LZrqMXg105/BsVblQvgwyYDKJXiCWIgv2IQ6sU/VwVc='), or a nonce
('nonce-...') is required to enable inline execution.
}}}
The FE development best practice nowadays is to move all the JS code to
versioned JS files sourced by <script src="..."> (better yet,
asynchronously).
In its current shape, the user only has the choice between going back to
the classic editor or disabling a critical security feature because of
shortcomings in coding standards.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45531>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list