[wp-trac] [WordPress Trac] #54214: Make it posible to add custom attribute to inline script

Mon Oct 4 05:46:28 UTC 2021

#54214: Make it posible to add custom attribute to inline script
-------------------------+-----------------------------
 Reporter:  erikdemarco  |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 Currently All wordpress sites in the world will not pass Google LightHouse
 'best practice' test. It will always fail "Ensure CSP is effective against
 XSS attacks"

 The problem is. To enable CSP we need to add 'nonce' attributes to all
 <script> tag. (https://web.dev/csp-
 xss/?utm_source=lighthouse&utm_medium=devtools)

 We can only add this to external script by hooking into
 'script_loader_tag'.

 But for inline script (which added using 'wp_add_inline_script') its not
 possible to add nonce attribute because its hardcoded by WP
 (https://github.com/WordPress/WordPress/blob/2cb4ebefe2ee98fc36a5962e92590cb0451ad2a6
 /wp-includes/class.wp-scripts.php#L365)

 So currently no way for wordpress sites to apply CSP other than modifying
 core wp files directly.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54214>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform