Opened 2 years ago
Last modified 2 years ago
#53902 new feature request
Automating the creation of inline javascript and inline stylesheet nonces or hashes
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | javascript | Cc: |
Description
Inline javascripts and stylesheets are fairly common in the WordPress ecosystem. Site managers wishing to harden WordPress via a Content Security Policy have a choice between allowing such inline code via the "unsafe-inline" directive or must find a way to include either hashes or nonces in the CSP and, for nonces, in the code itself.
While there are means to determine hashes for static javascript or stylesheets, this is hardly possible for dynamically created code. It would help better secure WordPress sites if WP included the functionality that could automate the creation of nonces or hashes and automatically include them in a function that sends the appropriate, dynamically created, header via PHP or perhaps by writing to .htaccess or the like.
Have you seen https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/?
That post explains the multi-step plan to bring wp-admin to strict CSP mode, with the first part being achieved in #39941. The next step is #51407.
Eventually, all inline scripts in core will be added with the
wp_print_script_tag()
function and get a nonce through that function.