[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection

Wed Feb 7 15:15:29 UTC 2018

#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+--------------------------
 Reporter:  tdelmas          |       Owner:  johnbillion
     Type:  feature request  |      Status:  accepted
 Priority:  normal           |   Milestone:  5.0
Component:  Security         |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:  javascript
-----------------------------+--------------------------

Comment (by jdgrimes):

 Replying to [comment:11 scotthelme]:

 Hey Scott! Thanks for dropping in! I am a big fan of Troy Hunt, and
 through his blog I found out about your site https://report-uri.com/, and
 that has made adding a CSP to my own WordPress-powered sites actually
 doable rather than seeming like an impossible chore. So thank you so much
 for that!

 Of course, up to now, I've had to use a CSP with `unsafe-inline`. However,
 with the increased flexibility that CSPs have with hashes and nonces now,
 I think that getting to a place where WordPress can run without the need
 for `unsafe-inline` is achievable.

 Replying to [comment:13 johnbillion]:
 > I think the solution proposed in #39941 is the most viable one. Some
 feedback on that approach would be greatly appreciated!

 I agree that in the short-term, using nonces is going to be necessary,
 since it requires the least amount of refactoring. We have to keep in mind
 that to really be useful, whatever happens here needs to be embraced by
 the WordPress ecosystem as a whole, if you want to use a non-`unsafe` CSP
 on a site with any plugins and a non-default theme. It is unfortunately
 not realistic to think that many plugins and themes are going to
 completely remove inline scripts anytime soon, and core may also need to
 keep using them at least in some places, for backward compatibility if for
 no other reason.

 That said, ''longer-term'', I think moving away from inline scripts as
 much as possible should still be the goal. The downside of the nonces
 approach is that it still allows XSS, if untrusted input is being output
 within those nonced script tags unescaped. We should really be pushing
 plugin developers to pass data to scripts in a more fail-safe manner. Just
 replacing all of their inline `script` tags with a call to an
 `inline_js()` function is not going to magically make that script itself
 safer.

 Despite that caveat, I think it is still a worthwhile pursuit and a
 considerable improvement, because sites running a non-`unsafe` CSP would
 still eliminate other whole classes of more common XSS.

 But what I think should ideally happen, is that we do something along the
 lines of #39941 now, but in the future it would be deprecated/discouraged,
 in favor of moving away from inline scripts altogether.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform