[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Oct 26 17:44:03 UTC 2021
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by scofennell@…):
Replying to [comment:101 enricocarraro]:
> You can safely remove `unsafe-inline` from the CSP header on pages on
which every piece of JavaScript is included via a nonced script tag.
All of the sites I manage use Varnish or similar caching for non-logged in
users. For example, WP Engine calls it "full page caching" I believe.
It's unclear to me what will happen when the nonce is cached in such a
situation.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:103>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list