[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Tue Sep 15 10:03:20 UTC 2020
#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+-----------------------------
Reporter: tdelmas | Owner: johnbillion
Type: feature request | Status: accepted
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses: javascript
-----------------------------+-----------------------------
Comment (by enricocarraro):
I worked on refactoring all script tags so that their attributes can be
controlled in [https://github.com/WordPress/wordpress-develop/pull/498
this] pull request for #39941.
Now I'm working on another PR focusing on refactoring inline event
handlers and JavaScript URIs in a way that is as clean as possible, and
that doesn't impact the page rendering time;
Page rendering time becomes a slow when there are many inline script tags
spread across the page; solutions to this could be:
* grouping all event handlers and JavaScript URIs, and printing them
together at the end of the page
* could be done using WP_Scritps;
* moving them to JavaScript Files
* not an option for all, as some receive data from PHP;
* it's tricky to understand which pages can be grouped together and thus
include the same JavaScript File;
* adding the defer attribute so that the script can only be executed after
document parsing is completed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list