[wp-trac] [WordPress Trac] #57424: Specific hook for Content Security Policy
WordPress Trac
noreply at wordpress.org
Thu Jan 5 17:27:01 UTC 2023
#57424: Specific hook for Content Security Policy
-------------------------+-----------------------------
Reporter: bhubbard | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Right now I see several tickets discussing the Content Security Policy. At
the moment I believe the most common ways to set it currently for a
WordPress site are:
1) Server Side (Apache, Nginx, etc)
2) Hooking into "send_headers"
3) Hooking into "wp_head" and sending as a meta tag.
To improve reliability and prevent duplicates/bugs, I suggest we have a
specific hook for the CSP header. Theme and Plugin Developers could then
use this hook, to add their domains/etc to the CSP. Currently if I write a
plugin that uses an external script, I could create/add a CSP to the site,
but I would have no way of knowing what other domains/etc are being used
that would need to be added to the header. Having a specific hook could
solve this issue for site owners and developers, leading to a more secure
website.
It would also make sense to support the specific arguments such as: font-
src, media-src, img-src, etc.
As a bonus I could see these other security related headers benefiting
from having their own hooks as well:
- permissions-policy
- referrer-policy
- x-content-type-options
- x-frame-options
- x-xss-protection
- report-to (maybe we can have this default to admin email, or a wp
service?)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57424>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list