[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

Tue Sep 15 10:00:49 UTC 2020

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:
                                                 |  johnbillion
     Type:  enhancement                          |      Status:  accepted
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch 2nd-opinion has-unit-      |     Focuses:  javascript
  tests                                          |
-------------------------------------------------+-------------------------

Comment (by enricocarraro):

 Tickets addressed by the pull request: #39941

 I picked up the work made by @tomdxw and adapted it to the current version
 of WordPress.

 In [https://github.com/WordPress/wordpress-develop/pull/498 this] pull
 request I introduced two new functions that print `<script>` tags and
 enable attribute injection:
 * wp_print_script_loader_tag: for script tags that load JavaScript files
 through the src attribute;
 * wp_print_inline_script _tag: for inline scripts.
 Both these functions filter the attributes passed to them through
 `wp_script_attributes` so that plugins can change script attributes in a
 controlled manner.

 Instead of directly printing `<script>` tags, these functions should be
 used to ensure that every `<script>` tag is controllable.

 In the PR I also included the refactoring of every script tag; now they
 are printed by either `wp_print_inline_script_tag` or
 `wp_print_script_loader_tag`. I followed  [https://csp.withgoogle.com/docs
 /adopting-csp.html this] guide on adopting CSP, considering the `strict-
 dynamic` option enabled.
 I made a [https://github.com/enricocarraro/wp-strict-csp plugin prototype]
 that enables Strict CSP to test these changes.

 A plugin can now control every attribute of every script printed by PHP,
 but there are still three things to do to make WordPress fully compatible
 with Strict CSP:
 * refactor calls to document.write('<script...'), used to load additional
 scripts, to use document.createElement('script'), inside JavaScript files;
 * refactor inline event handlers and javascript URIs;
 * add to the test suite a rule that checks that scripts are printed only
 using either wp_print_inline_script_tag or wp_print_script_loader_tag.
 These last points would be part of #32067, and could be addressed as a
 follow-up to this PR; more details on #32067.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform