[wp-trac] [WordPress Trac] #33948: Implement subresource integrity (SRI)
WordPress Trac
noreply at wordpress.org
Fri Sep 2 12:15:52 UTC 2016
#33948: Implement subresource integrity (SRI)
-------------------------------------------------+-------------------------
Reporter: johnbillion | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
Component: Script Loader | Review
Severity: normal | Version:
Keywords: dev-feedback needs-testing has- | Resolution:
patch | Focuses:
-------------------------------------------------+-------------------------
Changes (by joe_bopper):
* keywords: needs-patch dev-feedback => dev-feedback needs-testing has-
patch
Comment:
Hi,
I have created and attached a patch that allows the application (and
removal) of extra attributes to both a wp_script and wp_style (that is,
enqueued `<script>` and `<link>` tags). The functions for these are:
{{{#!php
$handle = 'my-script';
$attrs = array( 'async'=>'true' );
wp_script_add_extra_attributes( $handle, $attrs );
}}}
and
{{{#!php
wp_script_delete_extra_attributes( $handle, $attrs );
}}}
I've then added a function for the integrity specific case:
{{{#!php
function wp_script_integrity( $handle, $hash, $crossorigin = 'anonymous'
){...}
}}}
Note: style functions just replace script with style in the function name.
I think this should suitably fulfill this ticket.
It appears to me that the main purpose of SRI is to prevent XSS when using
third-party resources (e.g. cdn). Therefore, the need for a function to
create hashes for local scripts seems moot (though I'm not against the
idea).
Further note: I added a new formatting function `esc_attr_name` as well.
This simply ensures no bad characters are used in attribute names and that
it is not the empty string.
Cheers.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33948#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list