[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Thu Jan 28 18:14:39 UTC 2021 

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:  (none)
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  5.7
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch has-unit-tests needs-dev-  |     Focuses:  javascript
  note needs-refresh                             |
-------------------------------------------------+-------------------------

Comment (by adamsilverstein):

 @ocean90 Can you please review [attachment:"39941.2.diff"] (or the PR) -
 this is a refreshed patch from the PR, I believe @enricocarraro addressed
 all of your feedback.

 Once this is committed, core and plugins/themes will have an API to
 support CSP. I am working with @enricocarraro on a dev note explaining how
 plugins and themes can add CSP support.

 The next steps to get `wp-admin` to Strict CSP mode are already well
 underway (though they deserve careful review and testing). They are:

 * Add nonces to all `<script>` elements. With strict CSP, every <script>
 element must have a nonce attribute which matches the value specified in
 the policy. Work started in https://core.trac.wordpress.org/ticket/39941 /
 https://github.com/WordPress/wordpress-develop/pull/498)
 * Refactor inline event handlers and javascript: URIs. Inline event
 handlers `(onclick="...", onerror="...")` and `<a href="javascript:...">`
 links can be used to run scripts, so an attacker who finds an XSS bug
 could inject such HTML and execute malicious JavaScript. CSP requires
 refactoring those patterns into safer alternatives. Work started in
 https://core.trac.wordpress.org/ticket/51407 /
 https://github.com/WordPress/wordpress-develop/pull/551.
 * Refactor calls to JS APIs incompatible with CSP - includes things like
 `document.write()` used to load additional scripts and uses of `eval()`. I
 don't think we use either of these in core; worth checking Gutenberg to
 ensure it is compliant.
 * Serve the Content-Security-Policy header. This final step will be the
 reward at the end of the process, turning on Strict CSP.

 I plan to continue working on these efforts in 5.7, my hope is to get to
 strict compliance by 5.8.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:68>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list