WordPress.org

Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #39941, comment 26


Ignore:
Timestamp:
03/20/2019 10:50:09 PM (5 months ago)
Author:
jadeddragoon
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #39941, comment 26

    v1 v2  
    55> Only the application itself will know the elements that need to be allowed,
    66
    7 If you don't use inline javascript at all, then you will know exactly which elements need nonces: none of them. And if the javascript is inline but static then you can use checksums at deploy time instead.
     7If you don't use inline javascript at all, then you will know exactly which elements need nonces: none of them. And if the javascript is inline but static then you can configure the CSP to use checksums at deploy time instead.
    88
    99All javascript should be moved to separate files. The javascript itself should be static... not templated via php... and thus not at risk of code injection via php. This restiction then allows features of CSP (such as strict-dynamic) to work as intended. Then the needed CSP policy would be known at deploy time and can be set in an independent application (httpd), applying the principle of [https://www.owasp.org/index.php/Separation_of_duties separation of duties].