[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Mon Aug 6 17:32:14 UTC 2018
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-------------------------+--------------------------
Comment (by jadeddragoon):
Replying to [comment:16 giuse]:
> In that case no CSP can help, if an attacker was able to do that, he can
do what he wants.
??? That's exactly the kind of case CSP is meant to stop. Why wouldn't it
help?
If you mean that, at that point, an attacker could introduce their own CSP
policy via {{{<meta http-equiv="Content-Security-Policy"}}} then this,
while true, has no bearing here. As per the current CSP documentation
[https://www.w3.org/TR/CSP2/#enforcing-multiple-policies here] the most
restrictive policy for a given directive "wins". This is because all
policies are enforced and any use of feature matching a directive must
pass all defined policies.
So if I configure a strong CSP header that doesn't allow inline scripts
and styles and lists no nonces or hashes and then an attacker manages to
inject a CSP of his own via meta tags with {{{unsafe-inline}}} or even a
hash for the injected code... his code still won't run. It will pass the
policy he injected but fail the original policy... and it must pass all
policies.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list