[wp-trac] [WordPress Trac] #37162: wp_style_add_data and wp_script_add_data should accept SRI information
WordPress Trac
noreply at wordpress.org
Tue Sep 4 16:58:18 UTC 2018
#37162: wp_style_add_data and wp_script_add_data should accept SRI information
----------------------------+------------------------------
Reporter: michaelkrieger | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Script Loader | Version: 4.5.3
Severity: normal | Resolution:
Keywords: | Focuses:
----------------------------+------------------------------
Old description:
> Subresource Integrity Hashes (SRI) is now recommended for many CDN
> sourced CSS and JavaScript as provided for in http://www.w3.org/TR/SRI/ .
> Wordpress does not allow SRI code (or anything other than a set list) to
> be added via wp_*_add_data. The same applies to javascript loading in
> addition to stylesheet loading.
>
> wp_*_add_data should support these tags instead of currently silently
> ignoring them. The two tag keys are crossorigin and integrity.
>
> Example of recommended link tags that should be generated:
> {{{
> <link rel="stylesheet"
> href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css"
> integrity="sha384
> -y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd"
> crossorigin="anonymous">
>
> <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-
> awesome.min.css" rel="stylesheet" integrity="sha384-T
> 8Gy5hrqNKT+hzMclPo118YTQO6cYprQmhrYwIiQ/3axmI1hQomh7Ud2hPOy8SP1"
> crossorigin="anonymous">
> }}}
>
> Expected (currently non-working usage)
> {{{
> wp_enqueue_style('bootstrap',
> "https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css",
> array(), null, 'all');
> wp_style_add_data('bootstrap', 'crossorigin', 'anonymous');
> wp_style_add_data('bootstrap', 'integrity',
> 'sha384-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd');
> }}}
New description:
Subresource Integrity Hashes (SRI) is now recommended for many CDN sourced
CSS and JavaScript as provided for in http://www.w3.org/TR/SRI/ .
WordPress does not allow SRI code (or anything other than a set list) to
be added via wp_*_add_data. The same applies to javascript loading in
addition to stylesheet loading.
wp_*_add_data should support these tags instead of currently silently
ignoring them. The two tag keys are crossorigin and integrity.
Example of recommended link tags that should be generated:
{{{
<link rel="stylesheet"
href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css"
integrity="sha384
-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd"
crossorigin="anonymous">
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-
awesome.min.css" rel="stylesheet" integrity="sha384-T
8Gy5hrqNKT+hzMclPo118YTQO6cYprQmhrYwIiQ/3axmI1hQomh7Ud2hPOy8SP1"
crossorigin="anonymous">
}}}
Expected (currently non-working usage)
{{{
wp_enqueue_style('bootstrap',
"https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css",
array(), null, 'all');
wp_style_add_data('bootstrap', 'crossorigin', 'anonymous');
wp_style_add_data('bootstrap', 'integrity',
'sha384-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd');
}}}
--
Comment (by georgestephanis):
Previously, #33948
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37162#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list