Opened 3 years ago
Last modified 3 months ago
#53902 new feature request
Automating the creation of inline javascript and inline stylesheet nonces or hashes
Reported by: | Josiah S. Carberry | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | javascript | Cc: |
Description
Inline javascripts and stylesheets are fairly common in the WordPress ecosystem. Site managers wishing to harden WordPress via a Content Security Policy have a choice between allowing such inline code via the "unsafe-inline" directive or must find a way to include either hashes or nonces in the CSP and, for nonces, in the code itself.
While there are means to determine hashes for static javascript or stylesheets, this is hardly possible for dynamically created code. It would help better secure WordPress sites if WP included the functionality that could automate the creation of nonces or hashes and automatically include them in a function that sends the appropriate, dynamically created, header via PHP or perhaps by writing to .htaccess or the like.
Change History (5)
#2
@
3 years ago
I guess the inline javascript part is already in the works. I had not seen that. Remains, however, to do the same thing for inline stylesheets.
#4
@
3 months ago
Is there an update on this? It is good that unsafe-eval is not needed anymore with the latest Gutenberg version. However, unsafe-inline seems to be still an open issue.
Is there a ticket where one can track the progress of unsafe-inline and see what is still outstanding?
It would be good if it can be resolved as the security and privacy of the WordPress users can be much better protected (given also the many vulnerability of third party plugins).
#5
@
3 months ago
Someone on the Gutenberg project proposed a solution: https://github.com/WordPress/gutenberg/issues/42513#issuecomment-2054160477
This could be a good start. It really can help to increase the security of WordPress for its user significantly.
Have you seen https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/?
That post explains the multi-step plan to bring wp-admin to strict CSP mode, with the first part being achieved in #39941. The next step is #51407.
Eventually, all inline scripts in core will be added with the
wp_print_script_tag()
function and get a nonce through that function.