WordPress.org

Make WordPress Core

Opened 13 months ago

Last modified 13 months ago

#38536 new feature request

Hook/Function to Set Content-Security-Policy

Reported by: bhubbard Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: Security Keywords:
Focuses: Cc:

Description

I would like to see a function to set the Content-Security-Policy header. I believe it should be in core so plugins and themes can hook into to set the whitelist domains/urls. By having it in core would allow the function to prevent duplicates. Maybe default to using any script enqueued on page load?

Further Reading:
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://securityheaders.io

Change History (2)

#1 @bhubbard
13 months ago

  • Type changed from defect (bug) to feature request

#2 @voldemortensen
13 months ago

The hook is already in core. send_headers works great. And for wp-admin you can (ab)use admin_init.

I like this idea. I would also like to see other headers introduced like X-XSS-Protection: 1 and X-Content-Type-Options: nosniff.

Note: See TracTickets for help on using tickets.