[wp-trac] [WordPress Trac] #63710: Content Security Policy (CSP) violations in WordPress – How to fix unsafe-inline script and style issues?
WordPress Trac
noreply at wordpress.org
Thu Jul 17 04:41:30 UTC 2025
#63710: Content Security Policy (CSP) violations in WordPress – How to fix unsafe-
inline script and style issues?
--------------------------+-----------------------------
Reporter: bensonap | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.8.1
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
I’m working on a WordPress website and trying to implement a strict
Content Security Policy (CSP) for better security. However, I’m
encountering multiple CSP errors due to inline scripts and styles, such
as:
''Refused to execute inline script because it violates the following CSP
directive: "script-src 'self'".''
Added CSP headers using PHP:
header("Content-Security-Policy: script-src 'self'; style-src 'self';");
Noticed several WordPress plugins and themes output inline JavaScript and
inline styles.
Tried moving scripts to external files manually, but still facing issues
due to dynamically injected inline scripts.
I'm aware of nonce and hash methods, but unclear how to use them
effectively with WordPress functions like wp_enqueue_script() or
wp_add_inline_script().
Environment:
- WordPress 6.8.1
- PHP 7.4
- Using Avada mutlipurpose theme, multiple plugins
- Hosting on Nginx
Any code examples or best practices would be appreciated!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63710>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list