Make WordPress Core

Opened 8 years ago

Last modified 5 years ago

#38536 new feature request (maybelater)

Hook/Function to Set Content-Security-Policy

Reported by: bhubbard's profile bhubbard Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: Security Keywords:
Focuses: Cc:


I would like to see a function to set the Content-Security-Policy header. I believe it should be in core so plugins and themes can hook into to set the whitelist domains/urls. By having it in core would allow the function to prevent duplicates. Maybe default to using any script enqueued on page load?

Further Reading:

Change History (3)

#1 @bhubbard
8 years ago

  • Type changed from defect (bug) to feature request

#2 @voldemortensen
8 years ago

The hook is already in core. send_headers works great. And for wp-admin you can (ab)use admin_init.

I like this idea. I would also like to see other headers introduced like X-XSS-Protection: 1 and X-Content-Type-Options: nosniff.

#4 @iandunn
5 years ago

  • Resolution set to maybelater

Switching from wontfix to maybelater, since that's more accurate.


Note: See TracTickets for help on using tickets.