[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Sun Apr 2 21:43:49 UTC 2017
#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
Reporter: tdelmas | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-----------------------------+------------------------------
Comment (by Phil McKerracher):
Can I request an increase in priority for this, as is appropriate for a
security issue? Attacks are becoming more sophisticated and frequent, more
people are using SSL now, and security ratings on places like
https://observatory.mozilla.org and https://securityheaders.io are
beginning to matter.
I don't mind disabling or replacing insecure plugins or features
temporarily, or adding some named exceptions to a CSP header to allow for
legacy code. But problems in WP core are more difficult to fix without
them being overwritten by the next update. Hashes and nonces are sometimes
a workaround but are difficult to implement and maintain.
On the other hand, removing inline scripts and styles from WP core seems
like a fairly routine task (though not trivial because there are many)
that would have additional benefits, as others have said.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list