WordPress.org

Make WordPress Core

Changes between Version 2 and Version 3 of Ticket #39941, comment 24


Ignore:
Timestamp:
03/20/2019 04:48:45 PM (6 months ago)
Author:
jadeddragoon
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #39941, comment 24

    v2 v3  
    11I really must re-iterate that this appears to be an end-run around CSP. It will not make WP sites more secure and, arguably, will make them less secure by giving site operators and visitors a false sense of security. WP should be made compliant with strong CSP policies... not try to defeat them.
    22
    3 Blocking "unsafe-inline" javascript via CSP exists explicitly to close one common vector attackers use to inject malicious code into a page by making sure any such injected code never gets executed by client browsers. The CSP is (when done correctly) set in the httpd... independent of the site code. It is enforced by the client browser. What this patch does is allow this vulnerability to remain open on wordpress sites without users being made aware of it by tricking the client browser into believing the code has been validated by the site operator when it has not.
     3Blocking "unsafe-inline" javascript via CSP exists explicitly to close one common vector attackers use to inject malicious code into a page by making sure any code that might be have been injected never gets executed by client browsers. The CSP is (when done correctly) set in the httpd... independent of the site code. It is enforced by the client browser. What this patch does is allow this vulnerability to remain open on wordpress sites without users being made aware of it by tricking the client browser into believing the code has been validated by the site operator when it has not.