[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Thu Jul 11 00:03:55 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh 2nd-opinion | Focuses: javascript
-------------------------------------------------+-------------------------
Comment (by alinod):
Replying to [comment:36 epicfaace]:
> So it seems like the two options are 1) calculating static hashes for
all inline scripts used in WordPress core, adding a build process to add
these in to the source code or 2) switching all of WP's inline JS to
external JavaScript instead. At this point, it seems like the latter might
be simpler. What are the main challenges with doing so?
I'm not sure whether you were addressing this last part to me, or not. I
would certainly agree that the latter is preferable. Unfortunately, I'm
not well versed enough in WordPress core to assess the level of difficulty
in doing so. My assumption was that if it were easy, someone would have
done it already... but I'd gladly be wrong on that point.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:37>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list