[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Wed Mar 20 16:41:34 UTC 2019


#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
 Reporter:  tomdxw                   |       Owner:  johnbillion
     Type:  enhancement              |      Status:  accepted
 Priority:  normal                   |   Milestone:  5.3
Component:  Security                 |     Version:  4.8
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:  javascript
-------------------------------------+--------------------------

Comment (by jadeddragoon):

 I really must re-iterate that this appears to be an end-run around CSP. It
 will not make WP sites more secure and, arguably, will make them less
 secure by giving site operators a false sense of security. WP should be
 made compliant with strong CSP policies... not try to defeat them.

 Blocking "unsafe-inline" javascript via CSP exists explicitly to close one
 common vector attackers use to inject malicious code into a page. The CSP
 is (when done correctly) set in the httpd... independent of the site code.
 It is enforced by the client browser. What this patch does is allow this
 vulnerability to remain open on wordpress sites without users being made
 aware of it by tricking the client browser into believing the code has
 been validated by the site operator when it has not.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list