[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Mar 20 21:23:25 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.3
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: javascript
-------------------------------------+--------------------------
Comment (by jrchamp):
Replying to [comment:24 jadeddragoon]:
> The CSP is (when done correctly) set in the httpd... independent of the
site code.
Only the application itself will know the elements that need to be
allowed, so only the application can accurately set the CSP. The best
[https://csp.withgoogle.com/docs/strict-csp.html strict CSP example] uses
strict-dynamic and a random nonce which must be provided to each permitted
script tag embedded in the page. This allows the browser to differentiate
between the scripts that were sent by the server and those that were
injected via strings.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list