[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Mon Sep 25 22:14:32 UTC 2023 

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:
                                                 |  adamsilverstein
     Type:  enhancement                          |      Status:  closed
 Priority:  normal                               |   Milestone:  5.7
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit      |     Focuses:  javascript
  has-dev-note                                   |
-------------------------------------------------+-------------------------

Comment (by westonruter):

 Replying to [comment:106 enricocarraro]:
 > I think WordPress should give the option to use strict CSP to the users
 who want it, I can imagine that dynamic websites like e-commerces would at
 least consider implementing it for the most sensitive pages.

 In [56687] it is now possible to enforce Strict CSP on the frontend and
 the login screen, assuming the theme and plugins aren't manually
 constructing script tags on their own.

 I mistakenly didn't refer to your [https://github.com/WordPress/wordpress-
 develop/pull/498 impressive PR] in the development of the code for that
 commit, but I see now I should have! It looks like you've done a lot of
 the work to pave the way for a second phase of this effort, to be able to
 opt-in to Strict CSP for all of WordPress, including the admin. I
 intentionally reduced the scope to the frontend/login screen due to the
 level of effort, which I see you actually did. At present the effort is
 now complicated a bit by the block/site editor which includes JS-generated
 script tags in the editor iframe, which breaks Strict CSP. So we'll need
 to work out a solution to that.

 See also #59444 which discusses how we can have better developer
 experience for JS embedded in string literals as opposed to `<script>`
 tags.

 I'll create a follow-up ticket for us to track the remaining work since I
 missed committed work in this closed ticket.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:110>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list