[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Mon Jul 27 00:34:10 UTC 2015
#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
Reporter: tdelmas | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by JonathanKingston):
Without the core of WordPress being CSP safe then plugins will have a very
hard time fixing all the bad practices after the fact.
I suggest actually getting the scripts to load over XHR/fetch the
localised scripts data as this would allow all the code to be static thus
allowing the page to generate SRI hashes which adds further script safety.
WordPress developers should be going out of its way to advocate security
such that it's plugin authors can follow from their example.
Adding the CSP could be an addon (which should really be enabled by
default) but the actual task here is getting the default installs to not
require inline JavaScript.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list