[wp-trac] [WordPress Trac] #61452: remove Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'
WordPress Trac
noreply at wordpress.org
Tue Jun 18 01:47:13 UTC 2024
#61452: remove Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'
--------------------------+------------------------
Reporter: wpsalvio | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 6.4.3
Severity: normal | Resolution: duplicate
Keywords: | Focuses:
--------------------------+------------------------
Changes (by dd32):
* status: new => closed
* resolution: => duplicate
* milestone: Awaiting Review =>
Comment:
> Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self'
http://www.vanilla.local https://ajax.googleapis.com
https://www.google.com https://www.gstatic.com". Either the 'unsafe-
inline' keyword, a hash
('sha256-sa6x1vExdinT1S8/9dgCiRo5tqcGRdDRNbPjwHRIUJU='), or a nonce
('nonce-...') is required to enable inline execution.
These are mostly likely to be caused by Plugins you're using, rather than
WordPress itself, as a few of them don't appear to be WordPress core.
> Is a patch from WordPress team expected to address this issue?
There's some work happening in #39941 & #59446 to ensure that WordPress
''administration'' areas are able to use CSP headers, but IMHO It's
unlikely that WordPress itself will resolve this fully ''anytime soon''
for front-end websites, #32067 is probably the best central ticket for
this.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61452#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list