[wp-trac] [WordPress Trac] #33948: Implement subresource integrity (SRI)

WordPress Trac noreply at wordpress.org
Fri Sep 2 12:15:52 UTC 2016


#33948: Implement subresource integrity (SRI)
-------------------------------------------------+-------------------------
 Reporter:  johnbillion                          |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
Component:  Script Loader                        |  Review
 Severity:  normal                               |     Version:
 Keywords:  dev-feedback needs-testing has-      |  Resolution:
  patch                                          |     Focuses:
-------------------------------------------------+-------------------------
Changes (by joe_bopper):

 * keywords:  needs-patch dev-feedback => dev-feedback needs-testing has-
               patch


Comment:

 Hi,

 I have created and attached a patch that allows the application (and
 removal) of extra attributes to both a wp_script and wp_style (that is,
 enqueued `<script>` and `<link>` tags). The functions for these are:
 {{{#!php
 $handle = 'my-script';
 $attrs = array( 'async'=>'true' );
 wp_script_add_extra_attributes( $handle, $attrs );
 }}}
 and
 {{{#!php
 wp_script_delete_extra_attributes( $handle, $attrs );
 }}}

 I've then added a function for the integrity specific case:
 {{{#!php
 function wp_script_integrity( $handle, $hash, $crossorigin = 'anonymous'
 ){...}
 }}}

 Note: style functions just replace script with style in the function name.

 I think this should suitably fulfill this ticket.

 It appears to me that the main purpose of SRI is to prevent XSS when using
 third-party resources (e.g. cdn). Therefore, the need for a function to
 create hashes for local scripts seems moot (though I'm not against the
 idea).

 Further note: I added a new formatting function `esc_attr_name` as well.
 This simply ensures no bad characters are used in attribute names and that
 it is not the empty string.

 Cheers.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33948#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list