[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Fri Mar 22 19:17:06 UTC 2019 

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
 Reporter:  tomdxw                   |       Owner:  johnbillion
     Type:  enhancement              |      Status:  accepted
 Priority:  normal                   |   Milestone:  5.3
Component:  Security                 |     Version:  4.8
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:  javascript
-------------------------------------+--------------------------

Comment (by jadeddragoon):

 Replying to [comment:29 mallorydxw]:
 > If the server sends `Content-Security-Policy: script-src 'nonce-123abc'`
 then the client will only execute scripts if the opening script tag
 contains `nonce="123abc"`. This example would be impossible unless the
 attacker was able to guess the nonce value.

 That would be true **''if the JavaScript was not templated via PHP''**.
 But ''**client-enforced**'' CSP cannot see what's happening in the PHP
 code on the ''**server**''. I already explained how this works in my last
 post. By templating JS via PHP wordpress does and has always provided a
 means of JS injection. Because templating === injection. This is why
 WordPress has such a bad reputation for XSS exploits. And you're providing
 a means to make sure all the templated JS has valid nonces. That means
 that if someone manages to insert their own code into the templated JS by
 exploiting poorly formed PHP... **the XSS JS code ''will'' be in a script
 tag that has a nonce**. You're actually **''removing''** the need for the
 attacker to guess the nonce by creating it for them.

 Replying to [comment:30 mallorydxw]:
 > By the way, the proof-of-concept plugin I mentioned in the description
 of the report is here now as I changed my github username:
 https://gist.github.com/mallorydxw/e2aee45ad5cb2a309c6bd0fc213efb97

 LOL! Really? It's not bad enough that you want to provide a means for
 attackers to get valid nonces for their XSS attacks... but now you want to
 make sure that even existing WordPress XSS exploits can take advantage of
 it and future exploits don't have to ask for the nonce specifically. Good
 Job! ::face palm::

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:31>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list