Opened 5 years ago
Closed 5 years ago
#45531 closed defect (bug) (duplicate)
WP 5.0 and Gutenberg fails on sites with Content-Security-Policy set
Reported by: | fazalmajid | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
See also #39941
I have the security header:
Content-Security-Policy: script-src 'self' fathom.majid.org
set on my sites to prevent XSS attacks (fathom.majid.org is my whitelisted web analytics).
The WP 5.0 and Gutenberg UI is peppered with inline <script> tags, that are blocked by my browser with errors like:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' fathom.majid.org". Either the 'unsafe-inline' keyword, a hash ('sha256-LZrqMXg105/BsVblQvgwyYDKJXiCWIgv2IQ6sU/VwVc='), or a nonce ('nonce-...') is required to enable inline execution.
The FE development best practice nowadays is to move all the JS code to versioned JS files sourced by <script src="..."> (better yet, asynchronously).
In its current shape, the user only has the choice between going back to the classic editor or disabling a critical security feature because of shortcomings in coding standards.
Change History (1)
Note: See
TracTickets for help on using
tickets.
Duplicate of #39941.
Thanks for your report! Since this falls under the scope of the ticket you linked to, we should keep the discussion at that one place to improve CSP support in core.