[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Mar 20 16:41:34 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.3
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: javascript
-------------------------------------+--------------------------
Comment (by jadeddragoon):
I really must re-iterate that this appears to be an end-run around CSP. It
will not make WP sites more secure and, arguably, will make them less
secure by giving site operators a false sense of security. WP should be
made compliant with strong CSP policies... not try to defeat them.
Blocking "unsafe-inline" javascript via CSP exists explicitly to close one
common vector attackers use to inject malicious code into a page. The CSP
is (when done correctly) set in the httpd... independent of the site code.
It is enforced by the client browser. What this patch does is allow this
vulnerability to remain open on wordpress sites without users being made
aware of it by tricking the client browser into believing the code has
been validated by the site operator when it has not.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:24>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list