[wp-trac] [WordPress Trac] #53902: Automating the creation of inline javascript and inline stylesheet nonces or hashes

WordPress Trac noreply at wordpress.org
Mon Aug 9 13:27:26 UTC 2021


#53902: Automating the creation of inline javascript and inline stylesheet nonces
or hashes
--------------------------------+-----------------------------
 Reporter:  Josiah S. Carberry  |      Owner:  (none)
     Type:  feature request     |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  General             |    Version:  trunk
 Severity:  normal              |   Keywords:
  Focuses:                      |
--------------------------------+-----------------------------
 Inline javascripts and stylesheets are fairly common in the WordPress
 ecosystem. Site managers wishing to harden WordPress via a Content
 Security Policy have a choice between allowing such inline code via the
 "unsafe-inline" directive or must find a way to include either hashes or
 nonces in the CSP and, for nonces, in the code itself.

 While there are means to determine hashes for static javascript or
 stylesheets, this is hardly possible for dynamically created code. It
 would help better secure WordPress sites if WP included the functionality
 that could automate the creation of nonces or hashes and automatically
 include them in a function that sends the appropriate, dynamically
 created, header via PHP or perhaps by writing to .htaccess or the like.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53902>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list