Make WordPress Core

Opened 3 years ago

Last modified 3 months ago

#53902 new feature request

Automating the creation of inline javascript and inline stylesheet nonces or hashes

Reported by: josiah-s-carberry's profile Josiah S. Carberry Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: javascript Cc:

Description

Inline javascripts and stylesheets are fairly common in the WordPress ecosystem. Site managers wishing to harden WordPress via a Content Security Policy have a choice between allowing such inline code via the "unsafe-inline" directive or must find a way to include either hashes or nonces in the CSP and, for nonces, in the code itself.

While there are means to determine hashes for static javascript or stylesheets, this is hardly possible for dynamically created code. It would help better secure WordPress sites if WP included the functionality that could automate the creation of nonces or hashes and automatically include them in a function that sends the appropriate, dynamically created, header via PHP or perhaps by writing to .htaccess or the like.

Change History (5)

#1 @swissspidy
3 years ago

  • Component changed from General to Security
  • Focuses javascript added

Have you seen https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/?

That post explains the multi-step plan to bring wp-admin to strict CSP mode, with the first part being achieved in #39941. The next step is #51407.

Eventually, all inline scripts in core will be added with the wp_print_script_tag() function and get a nonce through that function.

#2 @Josiah S. Carberry
3 years ago

I guess the inline javascript part is already in the works. I had not seen that. Remains, however, to do the same thing for inline stylesheets.

#3 @sabernhardt
3 years ago

  • Version trunk deleted

#4 @jornfranke
3 months ago

Is there an update on this? It is good that unsafe-eval is not needed anymore with the latest Gutenberg version. However, unsafe-inline seems to be still an open issue.

Is there a ticket where one can track the progress of unsafe-inline and see what is still outstanding?

It would be good if it can be resolved as the security and privacy of the WordPress users can be much better protected (given also the many vulnerability of third party plugins).

#5 @jornfranke
3 months ago

Someone on the Gutenberg project proposed a solution: https://github.com/WordPress/gutenberg/issues/42513#issuecomment-2054160477

This could be a good start. It really can help to increase the security of WordPress for its user significantly.

Note: See TracTickets for help on using tickets.