[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Sep 15 10:00:49 UTC 2020
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion has-unit- | Focuses: javascript
tests |
-------------------------------------------------+-------------------------
Comment (by enricocarraro):
Tickets addressed by the pull request: #39941
I picked up the work made by @tomdxw and adapted it to the current version
of WordPress.
In [https://github.com/WordPress/wordpress-develop/pull/498 this] pull
request I introduced two new functions that print `<script>` tags and
enable attribute injection:
* wp_print_script_loader_tag: for script tags that load JavaScript files
through the src attribute;
* wp_print_inline_script _tag: for inline scripts.
Both these functions filter the attributes passed to them through
`wp_script_attributes` so that plugins can change script attributes in a
controlled manner.
Instead of directly printing `<script>` tags, these functions should be
used to ensure that every `<script>` tag is controllable.
In the PR I also included the refactoring of every script tag; now they
are printed by either `wp_print_inline_script_tag` or
`wp_print_script_loader_tag`. I followed [https://csp.withgoogle.com/docs
/adopting-csp.html this] guide on adopting CSP, considering the `strict-
dynamic` option enabled.
I made a [https://github.com/enricocarraro/wp-strict-csp plugin prototype]
that enables Strict CSP to test these changes.
A plugin can now control every attribute of every script printed by PHP,
but there are still three things to do to make WordPress fully compatible
with Strict CSP:
* refactor calls to document.write('<script...'), used to load additional
scripts, to use document.createElement('script'), inside JavaScript files;
* refactor inline event handlers and javascript URIs;
* add to the test suite a rule that checks that scripts are printed only
using either wp_print_inline_script_tag or wp_print_script_loader_tag.
These last points would be part of #32067, and could be addressed as a
follow-up to this PR; more details on #32067.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list