[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Thu Jan 12 00:25:15 UTC 2017
#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
Reporter: tdelmas | Owner:
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-----------------------------+------------------------------
Changes (by jdgrimes):
* focuses: => javascript
Comment:
Even setting aside CSP entirely, there are still many reasons to remove
all inline scripts and styles. Automatic syntax checking, code sniffing,
minification, RTLificating, etc., is much harder—if not impossible—when JS
and CSS are inline. So I think removing all inline scripts and styles is a
worthy goal, and the fact that it may lead to us one day being able to use
a CSP with WordPress to mitigate persistent XSS/Cross-Site Styling is just
the icing on the cake.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list