Changes between Version 4 and Version 5 of Ticket #39941, comment 31
- Timestamp:
- 03/22/2019 08:36:11 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #39941, comment 31
v4 v5 8 8 9 9 This is even worse! Now they don't even have to find templated js that explicitly requests a nonce nor request one themselves... now even existing WordPress XSS exploits can take advantage of it and future exploits don't have to ask for the nonce specifically. 10 11 I was being very slightly hyperbolic with my claim that it was the same as unsafe-inline. But with this change I'm not... now it really is exactly as bad (again, except that it lies to the user about their risk level... so it's really worse). You've removed the edge case where it wouldn't be.