[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Oct 20 19:01:06 UTC 2020
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.6
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests needs-dev- | Focuses: javascript
note needs-refresh |
-------------------------------------------------+-------------------------
Changes (by ocean90):
* keywords: has-patch has-unit-tests commit needs-dev-note => has-patch
has-unit-tests needs-dev-note needs-refresh
Comment:
Quick feedback on [attachment:"39941.diff"]:
* `wp_sanitize_script_attributes()` should only sanitize the attributes
and not add any new ones. The filter should also be removed.
* The check `! is_admin() && ! current_theme_supports( 'html5', 'script'
)` in `wp_sanitize_script_attributes()` should only be called once, it's
currently called in a loop
* How about moving the `wp_script_attributes` filter into
`wp_get_script_tag()` and `wp_get_inline_script_tag()` and then use this
filter to add the `type` attribute if the theme doesn't support HTML5?
* `sprintf( ' %1$s="%1$s"', $attribute_name );`: shouldn't the value
escaped with `esc_attr()` for conistencety?
* The nested conditions for the boolean attributes should probably be
combined to `is_bool( $attribute_value ) && $attribute_value`
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:60>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list