[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Fri Mar 22 16:03:39 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.3
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: javascript
-------------------------------------+--------------------------
Comment (by mallorydxw):
> With this patch, however, a malicious user could input specially
formatted PHP code into the poorly sanitized inputs with the intent of
injecting XSS JavaScript in the associated output
> But with your patch all inline JS templated via PHP will get marked as
"supposed to be there" before being sent to the user... meaning that there
is still no way to tell what inline JS is actually supposed to be there
and what isn't.
Correction: this is not part of the WordPress patch I made. This is part
of the proof-of-concept plugin I made.
If the server sends `Content-Security-Policy: script-src 'nonce-123abc'`
then the client will only execute scripts if the opening script tag
contains `nonce="123abc"`. This example would be impossible unless the
attacker was able to guess the nonce value.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list