[wp-trac] [WordPress Trac] #51438: Use CSP directive upgrade-insecure-requests when using HTTPS
WordPress Trac
noreply at wordpress.org
Tue Jul 6 23:38:06 UTC 2021
#51438: Use CSP directive upgrade-insecure-requests when using HTTPS
------------------------------------------+------------------------------
Reporter: flixos90 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch needs-unit-tests | Focuses:
------------------------------------------+------------------------------
Comment (by westonruter):
Replying to [comment:1 ayeshrajans]:
> Given that multiple CSP headers/meta tags will only further restrict the
effective policy, I think this will be a change that would not overwrite
if there is a CSP header sent at the web server level.
Yes, that seems to be [https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Content-Security-
Policy#multiple_content_security_policies the case]:
> The CSP mechanism allows multiple policies being specified for a
resource, including via the `Content-Security-Policy` header, the
`Content-Security-Policy-Report-Only` header and a `<meta>` element.
>
> You can use the `Content-Security-Policy` header more than once […]
Adding additional policies can only further restrict the capabilities of
the protected resource […]
So since `upgrade-insecure-requests` is more secure then not having this
header, it should be able to override anything that came before. Anything
coming after would not be able to undo upgrading insecure requests, since
that would loosen the restrictions.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51438#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list