Opened 9 years ago
Closed 15 months ago
#38536 closed feature request (maybelater)
Hook/Function to Set Content-Security-Policy
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7 |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
I would like to see a function to set the Content-Security-Policy header. I believe it should be in core so plugins and themes can hook into to set the whitelist domains/urls. By having it in core would allow the function to prevent duplicates. Maybe default to using any script enqueued on page load?
Further Reading:
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://securityheaders.io
Change History (4)
#4
@
7 years ago
- Resolution set to maybelater
Switching from wontfix to maybelater, since that's more accurate.
xref: https://make.wordpress.org/core/2019/01/14/follow-up-on-recent-trac-bulk-edit/
Note: See
TracTickets for help on using
tickets.
The hook is already in core.
send_headersworks great. And for wp-admin you can (ab)useadmin_init.I like this idea. I would also like to see other headers introduced like
X-XSS-Protection: 1andX-Content-Type-Options: nosniff.