[wp-trac] [WordPress Trac] #51407: Remove inline event handlers and JavaScript URIs for Strict CSP-compatibility
WordPress Trac
noreply at wordpress.org
Thu Dec 31 12:53:45 UTC 2020
#51407: Remove inline event handlers and JavaScript URIs for Strict CSP-
compatibility
-------------------------------------------------+-------------------------
Reporter: enricocarraro | Owner:
| adamsilverstein
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion has-unit- | Focuses: javascript
tests |
-------------------------------------------------+-------------------------
Comment (by jornfranke):
I think a better way would be not to use nonces (too complex to configure
on the web server side etc.). I recommend to make all Javascript strictly
as external files. Then, I dont need to configure the nounces in the
headers.
Othrwise I strongly support strict CSP. The new block editor is a security
disaster:
unsafe-inline, unsafe-eval, external references to google fonts...
A good out of the box WordPress installation must work with the following
CSP for all areas (especially the admin area):
{{{
Content-Security-Policy: default-src 'none'; base-uri 'self'; script-src
'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-
src 'self'; object-src 'none'; media-src 'none'; child-src 'self'; form-
action 'self'; frame-ancestors 'none'; navigate-to 'self'; block-all-
mixed-content
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51407#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list