[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Oct 26 18:49:10 UTC 2021
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by enricocarraro):
Replying to [comment:103 scofennell@…]:
> All of the sites I manage use Varnish or similar caching for non-logged
in users. For example, WP Engine calls it "full page caching" I believe.
At every request the nonce must be different, so full page caching is not
compatible with nonce-based strict CSP.
> It's unclear to me what will happen when the nonce is cached in such a
situation.
If the nonce is cached and the header too, the scripts will work but they
cannot be considered secured by CSP, since the nonce will be reused.
The scripts with nonces that don't match the one(s) in the CSP header will
be blocked.
I suggest you to read [https://web.dev/strict-csp/#step-1:-decide-if-you-
need-a-nonce-or-hash-based-csp Mitigate cross-site scripting (XSS) with a
strict Content Security Policy (CSP)], specifically step 1.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:104>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list