id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 39941,Allow using Content-Security-Policy without unsafe-inline,tomdxw,adamsilverstein,"Currently when using Content-Security-Policy with WordPress, you must use the `unsafe-inline` directive because there are a lot of blocks of inline JavaScript in WordPress core. This means that the browser cannot protect the user from attacks using XSS vulnerabilities. This is an unsatisfying situation because XSS vulnerabilities can be found in a great number of WordPress plugins. The patch I’m providing today makes it possible to write a plugin which uses CSP without `unsafe-inline`. Such a plugin would make the vast majority of XSS vulnerabilities found in WP plugins useless to an attacker. I’ve just added one new function: `inline_js()`. Now instead of writing ``, you would write ``. I’ve changed enough instances of inline JavaScript to use `inline_js()` that you can try it out: - Apply this patch to WordPress - Install and activate this plugin: https://gist.github.com/tomdxw/e2aee45ad5cb2a309c6bd0fc213efb97 - Visit /wp-admin/ - If you have any plugins or themes activated which add inline JavaScript to the admin interface you’ll see that those have been blocked (in the console tab of developer tools). I’ve only changed some instances of inline JavaScript in this patch - enough to prove that it will work.",enhancement,closed,normal,5.7,Security,4.8,normal,fixed,has-patch has-unit-tests commit has-dev-note,,javascript