[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Fri Feb 24 17:42:37 UTC 2017
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------+------------------------------
Reporter: tomdxw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by tomdxw):
Sorry, I should have explained better.
The CSP specification ( https://www.w3.org/TR/CSP2/ ) has two ways of
allowing inline JavaScript: hashes and nonces.
I looked at hashes, but they would have required much larger changes to
WordPress. And it would also require calculating multiple hashes on each
page load which would have slowed the page down a small amount.
But with nonces you add a header like this:
{{{
Content-Security-Policy: script-src 'nonce-123abc'
}}}
And then whenever you use inline JavaScript, you add a `nonce` attribute
to the script element:
{{{
<script nonce="123abc">
doSomething()
</script>
}}}
And when the browser encounters a script tag with the wrong nonce (or no
nonce), it refuses to execute that JavaScript.
These nonces function in pretty much the same way as WordPress's nonces:
so long as the attacker doesn't know what they are, they can't execute
JavaScript. So when a plugin author writes `<input value="<?php echo
$_GET['x'] ?>">`, an attacker isn't able to inject their own JavaScript
because they don't know what the nonce is.
> Is this widely supported by browsers?
Chrome and Firefox support it. Edge 38 (the current version) doesn't
support CSP nonces. But Edge 39 does.
Here's the caniuse page: http://caniuse.com/#feat=contentsecuritypolicy2
Here's a very basic test page (if everything works you will see one alert
box; if CSP isn't supported at all you will see two alert boxes; and if
CSP is supported but nonces aren't, you won't see any alert boxes):
https://cdn.rawgit.com/tomdxw/95a22a1be010b2d07152be6b3f635fa1/raw/039d6fe0876dfc0c689be0f5787c038d1f27f5d5
/nonce-test.html
> Can the same nonce be re-used for all script tags?
That's correct, yes. In the proof-of-concept plugin it uses the same nonce
for every script tag.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list