[wp-trac] [WordPress Trac] #10237: Implement Content Security Policy to prevent XSS (was: Implement the new Mozilla feature to prevent XSS)
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 20 16:12:37 UTC 2012
#10237: Implement Content Security Policy to prevent XSS
-------------------------------+-----------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: feature request | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version: 2.8
Severity: normal | Resolution:
Keywords: needs-patch |
-------------------------------+-----------------------------
Changes (by GaryJ):
* cc: gary@… (added)
* keywords: => needs-patch
Comment:
The patches here (outside of the plugin) would need updating, since the
'allow' string is now 'default-src'. It may also be worth supporting the
`X-Webkit-CSP` header too if it's implemented any time soon.
Would there be a problem if the header was setup and sent at the server
level instead of the PHP level?
How much of the inline scripts and styles could be moved to external files
for the purpose of adding a CSP header?
It would make the otherwise useful `wp_localize_script()` redundant unless
`unsafe-inline` was allowed for `script-src`, and `style-src` would also
need it for gallery, toolbar and other styles.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10237#comment:24>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list