WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #39941, comment 17


Ignore:
Timestamp:
08/06/2018 05:51:51 PM (13 months ago)
Author:
jadeddragoon
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #39941, comment 17

    v1 v2  
    66If you mean that, at that point, an attacker could introduce their own CSP policy via {{{<meta http-equiv="Content-Security-Policy"}}} then this, while true, has no bearing here. As per the current CSP documentation [https://www.w3.org/TR/CSP2/#enforcing-multiple-policies here] the most restrictive policy for a given directive "wins". This is because all policies are enforced and any use of feature matching a directive must pass all defined policies.
    77
    8 So if I configure a strong CSP header that doesn't allow inline scripts and styles and lists no nonces or hashes and then an attacker manages to inject a CSP of his own via meta tags with {{{unsafe-inline}}} (or a hash... or a nonce}}} for the injected code... his code still won't run. It will pass the policy he injected but fail the original policy... and it must pass all policies.
     8So if I configure a strong CSP header that doesn't allow inline scripts and styles and lists no nonces or hashes and then an attacker manages to inject a CSP of his own via meta tags with {{{unsafe-inline}}} (or a hash... or a nonce) for the injected code... his code still won't run. It will pass the policy he injected but fail the original policy... and it must pass all policies.