WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 2 years ago

#38536 new feature request (maybelater)

Hook/Function to Set Content-Security-Policy

Reported by: bhubbard Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7
Component: Security Keywords:
Focuses: Cc:

Description

I would like to see a function to set the Content-Security-Policy header. I believe it should be in core so plugins and themes can hook into to set the whitelist domains/urls. By having it in core would allow the function to prevent duplicates. Maybe default to using any script enqueued on page load?

Further Reading:
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://securityheaders.io

Change History (3)

#1 @bhubbard
5 years ago

  • Type changed from defect (bug) to feature request

#2 @voldemortensen
5 years ago

The hook is already in core. send_headers works great. And for wp-admin you can (ab)use admin_init.

I like this idea. I would also like to see other headers introduced like X-XSS-Protection: 1 and X-Content-Type-Options: nosniff.

#4 @iandunn
3 years ago

  • Resolution set to maybelater

Switching from wontfix to maybelater, since that's more accurate.

xref: https://make.wordpress.org/core/2019/01/14/follow-up-on-recent-trac-bulk-edit/

Note: See TracTickets for help on using tickets.