Opened 4 years ago
Last modified 17 months ago
#51325 new enhancement
Add a filter for script/style tags injected by wp_add_inline_{script|style}
Reported by: | pjohanneson | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Script Loader | Keywords: | needs-refresh |
Focuses: | Cc: |
Description
In attempting to write a Content Security Policy for my WordPress site, I've run into issues with WordPress loading a few inline scripts and styles. I would like to be able to add a CSP nonce to each of the <script>
and <style>
tags, ideally with a WordPress filter. However, the tags appear to have no filters associated with them.
Something similar to the filters script_loader_tag
and style_loader_tag
(which I'm already using in my CSP attempts) would be very handy.
Attachments (3)
Change History (12)
#3
@
4 years ago
- Keywords has-patch needs-refresh added
- Milestone changed from Awaiting Review to 5.8
Thanks for the ticket and welcome to WordPress Core Trac @pjohanneson!
Also, thanks for the patch @geekpress, this looks like a nice enhancement to me.
Moving for 5.8 consideration.
(adding has-patch
/ needs-refresh
workflow keywords, to make sure the @since tags are refreshed)
#6
@
3 years ago
- Keywords has-patch needs-refresh removed
Thank you for refreshing the patch for 5.8.0.
In looking over, your choice to add these filters in the do_action
functions might not be enough, you may instead need to add it inside WP_Scripts::print_inline_script
and WP_Styles::print_inline_style
.
A quick look shows that a few plugins and themes at least do call these functions directly, so anyone implementing the new filters would likely expect their adjustments to work in those cases as well.
For reference: plugins calling `print_inline_script`, plugins calling `print_inline_style`, themes calling `print_inline_script`, themes calling `print_inline_style`.
#7
@
3 years ago
- Keywords needs-refresh added
- Milestone changed from 5.8 to Future Release
Today is the feature freeze for 5.8. Since this needs a bit of attention to address the feedback above, I'm going to punt to Future Release
. It can be moved back to a numbered milestone when someone is able to give it some attention.
#8
@
3 years ago
Getting back into this, and I'm seeing there are also a lot of <script>
tags in wp-includes
, wp-admin
, and elsewhere. Would it be wise to add a PHP-generated nonce to all of those, too? If so, my diff is gonna touch _a lot_ of files.
Hi there 🤚
I've added a patch to add 3 new hooks:
inline_script_before_loader_tag
inline_script_after_loader_tag
inline_style_loader_tag
I have voluntarily added the hooks before to be printed into the
do_item
functions.Why?
We would be able to make some updates on the script/style tag AND the content.
Here some usages of the hooks:
1. Add a custom attribute on the inline script tag
2- Wrap the content of the inline scripts: