Opened 8 years ago
Closed 2 weeks ago
#38536 closed feature request (maybelater)
Hook/Function to Set Content-Security-Policy
Reported by: | bhubbard | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.7 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
I would like to see a function to set the Content-Security-Policy header. I believe it should be in core so plugins and themes can hook into to set the whitelist domains/urls. By having it in core would allow the function to prevent duplicates. Maybe default to using any script enqueued on page load?
Further Reading:
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://securityheaders.io
Change History (4)
#4
@
6 years ago
- Resolution set to maybelater
Switching from wontfix
to maybelater
, since that's more accurate.
xref: https://make.wordpress.org/core/2019/01/14/follow-up-on-recent-trac-bulk-edit/
Note: See
TracTickets for help on using
tickets.
The hook is already in core.
send_headers
works great. And for wp-admin you can (ab)useadmin_init
.I like this idea. I would also like to see other headers introduced like
X-XSS-Protection: 1
andX-Content-Type-Options: nosniff
.