[wp-trac] [WordPress Trac] #53902: Automating the creation of inline javascript and inline stylesheet nonces or hashes
WordPress Trac
noreply at wordpress.org
Mon Aug 9 13:27:26 UTC 2021
#53902: Automating the creation of inline javascript and inline stylesheet nonces
or hashes
--------------------------------+-----------------------------
Reporter: Josiah S. Carberry | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------------+-----------------------------
Inline javascripts and stylesheets are fairly common in the WordPress
ecosystem. Site managers wishing to harden WordPress via a Content
Security Policy have a choice between allowing such inline code via the
"unsafe-inline" directive or must find a way to include either hashes or
nonces in the CSP and, for nonces, in the code itself.
While there are means to determine hashes for static javascript or
stylesheets, this is hardly possible for dynamically created code. It
would help better secure WordPress sites if WP included the functionality
that could automate the creation of nonces or hashes and automatically
include them in a function that sends the appropriate, dynamically
created, header via PHP or perhaps by writing to .htaccess or the like.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53902>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list