Changes between Initial Version and Version 6 of Ticket #59446
- Timestamp:
- 08/10/2025 06:51:52 AM (5 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #59446 – Description
initial v6 1 In #58664 the script helper functions—`wp_get_script_tag()`, `wp_print_inline_script_tag()`, `wp_get_inline_script_tag()`—were leveraged to eliminate manual construction of script tags on the frontend and the login screen. These were introduced in #39941. This made it possible to opt-in (see [https://gi st.github.com/westonruter/c8b49406391a8d86a5864fb41a523ae9example plugin]) to a Strict Content-Security-Policy ([https://csp.withgoogle.com/docs/strict-csp.html Strict CSP]) to guard against any possible XSS exploits. The scope in #58664 was limited to the frontend and the login screen because of the sheer number of inline scripts printed on the wp-admin. Additionally, the site editor and block editors make use of dynamically-constructed script tags in the editor iframe which is a Strict CSP violation.1 In #58664 the script helper functions—`wp_get_script_tag()`, `wp_print_inline_script_tag()`, `wp_get_inline_script_tag()`—were leveraged to eliminate manual construction of script tags on the frontend and the login screen. These were introduced in #39941. This made it possible to opt-in (see [https://github.com/westonruter/strict-csp example plugin]) to a Strict Content-Security-Policy ([https://csp.withgoogle.com/docs/strict-csp.html Strict CSP]) to guard against any possible XSS exploits. The scope in #58664 was limited to the frontend and the login screen because of the sheer number of inline scripts printed on the wp-admin. Additionally, the site editor and block editors make use of dynamically-constructed script tags in the editor iframe which is a Strict CSP violation. 2 2 3 3 Much of the work to rework inline scripts to use `wp_print_inline_script()` in the admin can be seen in an [https://github.com/WordPress/wordpress-develop/pull/498 existing PR] (now stale) from @enricocarraro.