Automating the creation of inline javascript and inline stylesheet nonces or hashes

[Josiah S. Carberry]

Inline javascripts and stylesheets are fairly common in the WordPress ecosystem. Site managers wishing to harden WordPress via a Content Security Policy have a choice between allowing such inline code via the "unsafe-inline" directive or must find a way to include either hashes or nonces in the CSP and, for nonces, in the code itself.

While there are means to determine hashes for static javascript or stylesheets, this is hardly possible for dynamically created code. It would help better secure WordPress sites if WP included the functionality that could automate the creation of nonces or hashes and automatically include them in a function that sends the appropriate, dynamically created, header via PHP or perhaps by writing to .htaccess or the like.

[swissspidy]

Have you seen ​https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/?

That post explains the multi-step plan to bring wp-admin to strict CSP mode, with the first part being achieved in #39941. The next step is #51407.

Eventually, all inline scripts in core will be added with the wp_print_script_tag() function and get a nonce through that function.

[Josiah S. Carberry]

I guess the inline javascript part is already in the works. I had not seen that. Remains, however, to do the same thing for inline stylesheets.