[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Tue Oct 26 20:51:03 UTC 2021
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by scofennell@…):
Replying to [comment:104 enricocarraro]:
> I suggest you to read [https://web.dev/strict-csp/#step-1:-decide-if-
you-need-a-nonce-or-hash-based-csp Mitigate cross-site scripting (XSS)
with a strict Content Security Policy (CSP)], specifically step 1.
Ah, yes, right, hashes. It seems that with a cached site (varnish or
similar), I should be focused on hashes.
But that's really the core of my confusion on this ticket. I believe that
the vast majority of ordinary WordPress sites implement server-side
caching, so it's hard for me to understand why this ticket represents a
significant improvement to the CSP landscape.
Am I missing something? Or maybe is the idea here that it's good and
important to make SOME progress on CSP, for folks who can use nonces?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:105>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list