[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection

WordPress Trac noreply at wordpress.org
Thu Apr 23 19:53:48 UTC 2015 

#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
 Reporter:  tdelmas          |       Owner:
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by tdelmas):

 Thank you @johnbillion and @dd32 for your answers.

 To add some clarification :
 I was not asking of a way to add a CSP (a plugin, or by default), It's
 easy enough to add one configuration line in your favorite web-server.
 My point was really about inline javascript. In my opinion, a CSP blocking
 inline javacript is a really improvement. With this kind of mechanism, an
 XSS (like the last one) is not anymore a catastrophic problem.
 To allow this kind of security, we need to get rid of inline javascript.

 I know WordPress have a lot of technical debts, but removing inline
 javascript from WP-Core can be an (long term) objective ?

 From an administrator point of view, if none of my post contain inline JS,
 and none of my plugin too, I would feel more secure if I could add a
 proper CSP. (Of course today I can add one, but I will possibly break a
 lot of things !)


 For example, for wp_localize_script (example taken from
 https://pippinsplugins.com/use-wp_localize_script-it-is-awesome/ )


 {{{
         wp_enqueue_script('pw-script', plugin_dir_url( __FILE__ ) . 'js
 /pw-script.js');
         wp_localize_script('pw-script', 'pw_script_vars', array(
                         'alert' => __('Hey! You have clicked the button!',
 'pippin')
                 )
         );

 }}}

 Could generate something like :

 {{{
 <span data-translation="Hey! You have clicked the button!" data-
 context="pippin" data-translated="(The same text, localized)"></span>
 <script src="js/wp-localize.js"></script>
 <script src="js/pw-script.js"></script>
 }}}

 And wp-localize.js will read the dom and load all translations, before the
 execution of pw-script.js

 It could be done without breaking the API compatibility.


 To conclude : IMHO, adding a CSP must not be an obligation, but, allowing
 administrator to strengthened the security of their WP with a CSP will be
 a huge step from a security point of view.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list