[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Thu Mar 21 13:17:08 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------+--------------------------
Reporter: tomdxw | Owner: johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: 5.3
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh | Focuses: javascript
-------------------------------------+--------------------------
Comment (by mallorydxw):
@jadeddragoon
> It will not make WP sites more secure
Explain how. tbh it seems to me like you're making perfect the enemy of
good.
Most XSS vulnerabilities in WordPress plugins are _not_ found inside
SCRIPT tags. So by using CSP nonces we'll be preventing the majority of
XSS vulnerabilities.
I agree it would be best to load all JS from `.js` files and not use any
inline JS, but that's a gargantuan task for WordPress (and forget about
convincing plugin devs to do the same). I opened this ticket as a
compromise which is a much easier sell (to WordPress devs and to plugin
devs) while still preventing the majority of XSS vulnerabilities found in
plugins.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list