[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline

WordPress Trac noreply at wordpress.org
Mon Sep 25 21:03:35 UTC 2023 

#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
 Reporter:  tomdxw                               |       Owner:
                                                 |  adamsilverstein
     Type:  enhancement                          |      Status:  closed
 Priority:  normal                               |   Milestone:  5.7
Component:  Security                             |     Version:  4.8
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests commit      |     Focuses:  javascript
  has-dev-note                                   |
-------------------------------------------------+-------------------------

Comment (by westonruter):

 In [changeset:"56687" 56687]:
 {{{
 #!CommitTicketReference repository="" revision="56687"
 Script Loader: Use `wp_get_script_tag()` and
 `wp_get_inline_script_tag()`/`wp_print_inline_script_tag()` helper
 functions to output scripts on the frontend and login screen.

 Using script tag helper functions allows plugins to employ the
 `wp_script_attributes` and `wp_inline_script_attributes` filters to inject
 the `nonce` attribute to apply Content Security Policy (e.g. Strict CSP).
 Use of helper functions also simplifies logic in `WP_Scripts`.

 * Update `wp_get_inline_script_tag()` to wrap inline script in CDATA
 blocks for XHTML-compatibility when not using HTML5.
 * Ensure the `type` attribute is printed first in
 `wp_get_inline_script_tag()` for back-compat.
 * Wrap existing `<script>` tags in output buffering to retain IDE
 supports.
 * In `wp_get_inline_script_tag()`, append the newline to `$javascript`
 before it is passed into the `wp_inline_script_attributes` filter so that
 the CSP hash can be computed properly.
 * In `the_block_template_skip_link()`, opt to enqueue the inline script
 rather than print it.
 * Add `ext-php` to `composer.json` under `suggest` as previously it was an
 undeclared dependency for running PHPUnit tests.
 * Update tests to rely on `DOMDocument` to compare script markup,
 normalizing unsemantic differences.

 Props westonruter, spacedmonkey, flixos90, 10upsimon, dmsnell, mukesh27,
 joemcgill, swissspidy, azaozz.
 Fixes #58664.
 See #39941.
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:108>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list