Make WordPress Core

Opened 3 years ago

Closed 11 months ago

Last modified 3 months ago

#54214 closed enhancement (duplicate)

Make it posible to add custom attribute to inline script

Reported by: erikdemarco's profile erikdemarco Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Script Loader Keywords: close
Focuses: Cc:

Description

Currently All wordpress sites in the world will not pass Google LightHouse 'best practice' test. It will always fail "Ensure CSP is effective against XSS attacks"

The problem is. To enable CSP we need to add 'nonce' attributes to all <script> tag. (https://web.dev/csp-xss/?utm_source=lighthouse&utm_medium=devtools)

We can only add this to external script by hooking into 'script_loader_tag'.

But for inline script (which added using 'wp_add_inline_script') its not possible to add nonce attribute because its hardcoded by WP (https://github.com/WordPress/WordPress/blob/2cb4ebefe2ee98fc36a5962e92590cb0451ad2a6/wp-includes/class.wp-scripts.php#L365)

So currently no way for wordpress sites to apply CSP other than modifying core wp files directly.

Change History (4)

#1 @audrasjb
3 years ago

  • Component changed from General to Script Loader

Related: #51124

#2 @swissspidy
3 years ago

See also https://make.wordpress.org/core/2021/02/23/introducing-script-attributes-related-functions-in-wordpress-5-7/

Those functions were added specifically because of CSP.

The goal is to eventually convert all usage in WP core to use these functions.

#3 @brookedot
11 months ago

  • Keywords close added
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #51325.

This appears to be a duplicate of 51325 but please do re-open if I'm missing something and they are different tickets.

#4 @swissspidy
3 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.