[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Apr 24 22:44:03 UTC 2024
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by scofennell@…):
Replying to [comment:117 amanandhishoe]:
> And if a hacker can do that, the site is compromised and no CSP will
save me.
Not with that attitude, it can't! :D
It's entirely plausible that a hacker would succeed with a DB injection
but not have gained access to your file system. A CSP can save you from
having that script, say, deface your site, and it can execute a report so
you know immediately that something's been injected and is attempting to
render a script. That's really valuable.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:118>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list