[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Wed Apr 24 17:25:22 UTC 2024 

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:
                                                 |  adamsilverstein
     Type:  enhancement                          |      Status:  closed
 Priority:  normal                               |   Milestone:  5.7
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit      |     Focuses:  javascript
  has-dev-note                                   |
-------------------------------------------------+-------------------------

Comment (by amanandhishoe):

 Thanks for pointing that out. It is something to consider. But in order
 for a hacker to be able to add an inline script at the point I am creating
 hashes for inline scripts, the 'template_redirect' or WP-Rocket's
 'rocket_buffer' filter they would either have been able to hack into the
 site to add some malicious php file to insert an inline script as the page
 is being generated, modified WordPress core or a plugin, or have been able
 to add a script into the database that gets added during page generation.
 And if a hacker can do that, the site is compromised and no CSP will save
 me.

 I do see that many inline scripts do have an id like <script id
 ="twentyseventeen-global-js-extra"> or <script id="wordfenceAJAXjs-js-
 extra"> which identify which plugin or theme is adding the script.

 And since I use  WP-Rocket I see a number of <script
 type="rocketlazyloadscript"> inline scripts.

 But a hacker clever enough to compromise the site to add inline scripts to
 the page being generated, could easily add an id="" to the script to make
 it look like one of my plugins is adding the script.

 But it does seem possible for future versions of WordPress to
 automatically generate a robust script CSP with hashes by making it a
 practice that WordPress core, themes, and plugins only add inline scripts
 with calls like wp_add_inline_script(). And wp_add_inline_script would
 build a robust CSP for the page. That's something to think about.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:117>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list