Opened 2 years ago
#57424 new enhancement
Specific hook for Content Security Policy
Reported by: | bhubbard | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Right now I see several tickets discussing the Content Security Policy. At the moment I believe the most common ways to set it currently for a WordPress site are:
1) Server Side (Apache, Nginx, etc)
2) Hooking into "send_headers"
3) Hooking into "wp_head" and sending as a meta tag.
To improve reliability and prevent duplicates/bugs, I suggest we have a specific hook for the CSP header. Theme and Plugin Developers could then use this hook, to add their domains/etc to the CSP. Currently if I write a plugin that uses an external script, I could create/add a CSP to the site, but I would have no way of knowing what other domains/etc are being used that would need to be added to the header. Having a specific hook could solve this issue for site owners and developers, leading to a more secure website.
It would also make sense to support the specific arguments such as: font-src, media-src, img-src, etc.
As a bonus I could see these other security related headers benefiting from having their own hooks as well:
- permissions-policy
- referrer-policy
- x-content-type-options
- x-frame-options
- x-xss-protection
- report-to (maybe we can have this default to admin email, or a wp service?)