[wp-trac] [WordPress Trac] #38695: Customizer requires a relaxed CSP with 'unsafe-eval' specified
WordPress Trac
noreply at wordpress.org
Mon Nov 7 17:15:55 UTC 2016
#38695: Customizer requires a relaxed CSP with 'unsafe-eval' specified
---------------------------+-------------------------
Reporter: bjornjohansen | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Customize | Version: trunk
Severity: normal | Resolution: wontfix
Keywords: | Focuses: javascript
---------------------------+-------------------------
Changes (by westonruter):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
This turns out to not be a problem specific to the customizer. As you
noted in Twitter, the Media Library is also broken when Nginx is
configured with:
{{{
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'
data: https:";
}}}
In fact, it is a more fundamental problem with the JavaScript used in
WordPress. Namely, anywhere in WordPress that `wp.template` (or Underscore
templating) is used, this problem will occur. JavaScript templating in WP
currently requires `unsafe-eval`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38695#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list