Make WordPress Core

Opened 2 years ago

#57424 new enhancement

Specific hook for Content Security Policy

Reported by: bhubbard's profile bhubbard Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Right now I see several tickets discussing the Content Security Policy. At the moment I believe the most common ways to set it currently for a WordPress site are:

1) Server Side (Apache, Nginx, etc)

2) Hooking into "send_headers"

3) Hooking into "wp_head" and sending as a meta tag.

To improve reliability and prevent duplicates/bugs, I suggest we have a specific hook for the CSP header. Theme and Plugin Developers could then use this hook, to add their domains/etc to the CSP. Currently if I write a plugin that uses an external script, I could create/add a CSP to the site, but I would have no way of knowing what other domains/etc are being used that would need to be added to the header. Having a specific hook could solve this issue for site owners and developers, leading to a more secure website.

It would also make sense to support the specific arguments such as: font-src, media-src, img-src, etc.

As a bonus I could see these other security related headers benefiting from having their own hooks as well:

  • permissions-policy
  • referrer-policy
  • x-content-type-options
  • x-frame-options
  • x-xss-protection
  • report-to (maybe we can have this default to admin email, or a wp service?)

Change History (0)

Note: See TracTickets for help on using tickets.