WordPress.org

Make WordPress Core

#45531 closed defect (bug) (duplicate)

WP 5.0 and Gutenberg fails on sites with Content-Security-Policy set

Reported by: fazalmajid Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:
PR Number:

Description

See also #39941

I have the security header:

Content-Security-Policy: script-src 'self' fathom.majid.org

set on my sites to prevent XSS attacks (fathom.majid.org is my whitelisted web analytics).

The WP 5.0 and Gutenberg UI is peppered with inline <script> tags, that are blocked by my browser with errors like:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' fathom.majid.org". Either the 'unsafe-inline' keyword, a hash ('sha256-LZrqMXg105/BsVblQvgwyYDKJXiCWIgv2IQ6sU/VwVc='), or a nonce ('nonce-...') is required to enable inline execution.

The FE development best practice nowadays is to move all the JS code to versioned JS files sourced by <script src="..."> (better yet, asynchronously).

In its current shape, the user only has the choice between going back to the classic editor or disabling a critical security feature because of shortcomings in coding standards.

Change History (1)

#1 @swissspidy
12 months ago

  • Component changed from General to Security
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #39941.

Thanks for your report! Since this falls under the scope of the ticket you linked to, we should keep the discussion at that one place to improve CSP support in core.

Note: See TracTickets for help on using tickets.