[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Mon Aug 6 00:07:39 UTC 2018
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-------------------------+--------------------------
Comment (by jadeddragoon):
Doesn't this "solution" completely undermine CSP? If an attacker
successfully injects script into a page won't the filter helpfully add a
nonce to it? At that point why not just disable CSP entirely?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list