[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Fri Oct 22 21:01:08 UTC 2021
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by enricocarraro):
Replying to [comment:100 jmlapam]:
> Yeah, I saw it. Would you say the filter `wp_script_attributes` can do
the job, or do you have something still in progress on this?
You can safely remove `unsafe-inline` from the CSP header on pages on
which every piece of JavaScript is included via a nonced script tag.
You can inject nonces in script tags printed using `wp_script_attributes`.
If a WordPress page contains a script tag that is not generated with
`wp_script_attributes`, it will be blocked by Strict CSP.
You should check if the pages you are interested in satisfy the above
requirements, if they don't, you can manually modify the pages and make
them compliant.
There is an effort to refactor WordPress to make all script tags
injectable, but it will require time.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:101>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list