WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 11 months ago

#37162 new enhancement

wp_style_add_data and wp_script_add_data should accept SRI information

Reported by: michaelkrieger Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.5.3
Component: Script Loader Keywords:
Focuses: Cc:
PR Number:

Description (last modified by georgestephanis)

Subresource Integrity Hashes (SRI) is now recommended for many CDN sourced CSS and JavaScript as provided for in http://www.w3.org/TR/SRI/ . WordPress does not allow SRI code (or anything other than a set list) to be added via wp_*_add_data. The same applies to javascript loading in addition to stylesheet loading.

wp_*_add_data should support these tags instead of currently silently ignoring them. The two tag keys are crossorigin and integrity.

Example of recommended link tags that should be generated:

<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css" integrity="sha384
-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd" crossorigin="anonymous">

<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-T
8Gy5hrqNKT+hzMclPo118YTQO6cYprQmhrYwIiQ/3axmI1hQomh7Ud2hPOy8SP1" crossorigin="anonymous">

Expected (currently non-working usage)

wp_enqueue_style('bootstrap', "https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.2/css/bootstrap.min.css", array(), null, 'all');
wp_style_add_data('bootstrap', 'crossorigin', 'anonymous');
wp_style_add_data('bootstrap', 'integrity', 'sha384-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd');

Change History (2)

#1 @georgestephanis
14 months ago

  • Description modified (diff)

Previously, #33948

#2 @johnbillion
11 months ago

Closely related: #22249

Note: See TracTickets for help on using tickets.