WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#53902 new feature request

Automating the creation of inline javascript and inline stylesheet nonces or hashes

Reported by: Josiah S. Carberry Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Security Keywords:
Focuses: javascript Cc:

Description

Inline javascripts and stylesheets are fairly common in the WordPress ecosystem. Site managers wishing to harden WordPress via a Content Security Policy have a choice between allowing such inline code via the "unsafe-inline" directive or must find a way to include either hashes or nonces in the CSP and, for nonces, in the code itself.

While there are means to determine hashes for static javascript or stylesheets, this is hardly possible for dynamically created code. It would help better secure WordPress sites if WP included the functionality that could automate the creation of nonces or hashes and automatically include them in a function that sends the appropriate, dynamically created, header via PHP or perhaps by writing to .htaccess or the like.

Change History (2)

#1 @swissspidy
4 months ago

  • Component changed from General to Security
  • Focuses javascript added

Have you seen https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/?

That post explains the multi-step plan to bring wp-admin to strict CSP mode, with the first part being achieved in #39941. The next step is #51407.

Eventually, all inline scripts in core will be added with the wp_print_script_tag() function and get a nonce through that function.

#2 @Josiah S. Carberry
4 months ago

I guess the inline javascript part is already in the works. I had not seen that. Remains, however, to do the same thing for inline stylesheets.

Note: See TracTickets for help on using tickets.