[wp-trac] [WordPress Trac] #11928: Recent Comments widget injects unconfigurable CSS (with !important)
WordPress Trac
noreply at wordpress.org
Fri Jan 24 10:59:24 UTC 2014
#11928: Recent Comments widget injects unconfigurable CSS (with !important)
-----------------------------+-------------------------
Reporter: archon810 | Owner: azaozz
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Widgets | Version: 2.9.1
Severity: normal | Resolution: worksforme
Keywords: has-patch close | Focuses:
-----------------------------+-------------------------
Comment (by nicelab):
In our theme we have decided to implement Content-Security-Policy to
provide a bit of XSS protection.
For example in header.php we will do something like this :
<?php header(
"Content-Security-Policy: default-src 'self';
style-src 'self' http://fonts.googleapis.com;
font-src 'self' http://themes.googleusercontent.com;
img-src 'self' http://*.gravatar.com;
"); ?>
<!DOCTYPE html>
...
The default Content Security Policy forbid inline CSS style and
automatically kill the recent comment sidebar style (unless you add
'unsafe-inline').
Maybe it's time to move this inline CSS line in the default CSS themes ?
(For now we will use the nacin hack in our theme to avoid unnecessary
warnings)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/11928#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list