WordPress.org

Make WordPress Core

Changes between Version 4 and Version 5 of Ticket #39941, comment 31


Ignore:
Timestamp:
03/22/2019 08:36:11 PM (11 months ago)
Author:
jadeddragoon
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #39941, comment 31

    v4 v5  
    88
    99This is even worse! Now they don't even have to find templated js that explicitly requests a nonce nor request one themselves... now even existing WordPress XSS exploits can take advantage of it and future exploits don't have to ask for the nonce specifically.
    10 
    11 I was being very slightly hyperbolic with my claim that it was the same as unsafe-inline. But with this change I'm not... now it really is exactly as bad (again, except that it lies to the user about their risk level... so it's really worse). You've removed the edge case where it wouldn't be.