[wp-trac] [WordPress Trac] #61452: remove Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'

WordPress Trac noreply at wordpress.org
Mon Jun 17 09:01:37 UTC 2024 

#61452: remove Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'
--------------------------+-----------------------------
 Reporter:  wpsalvio      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  6.4.3
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Hello, our internal security team advised to remove the Content-Security-
 Policy headers: 'unsafe-inline', 'unsafe-eval'.

 They explained that the Content Security Policy (CSP) is an HTTP response
 header that provides in-depth protection from critical vulnerabilities
 such as cross-site scripting (XSS) and clickjacking. Inline inclusion of
 JavaScript in HTML content is considered harmful as a large number of
 exploited XSS are delivered as inline code. Functions such as eval(),
 window.setTimeout(), and window.setImmediate() create and execute
 JavaScript code from strings and are considered dangerous. The CSP header
 disallows inclusion of inline JavaScript and unsafe eval functions.
 However, using unsafe-inline and unsafe-eval values for the script-src
 directive can bypass that restriction.

 If we do it, we will block the execution of inline scripts, producing
 several errors and break several UI elements including most plugins we
 use.

 Following is an example of console error we get when forcing a Content
 Security Policy directive: "script-src 'self' without 'unsafe-inline',
 'unsafe-eval' headers on a standard WordPress installation.

 Refused to execute inline script because it violates the following Content
 Security Policy directive: "script-src 'self' http://www.vanilla.local
 https://ajax.googleapis.comhttps://www.google.comhttps://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash
 ('sha256-sa6x1vExdinT1S8/9dgCiRo5tqcGRdDRNbPjwHRIUJU='), or a nonce
 ('nonce-...') is required to enable inline execution.

 Is a patch from WordPress team expected to address this issue?

 Thank you for your help!

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61452>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list