Opened 5 months ago
Closed 5 months ago
#63710 closed defect (bug) (duplicate)
Content Security Policy (CSP) violations in WordPress – How to fix unsafe-inline script and style issues?
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.8.1 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
I’m working on a WordPress website and trying to implement a strict Content Security Policy (CSP) for better security. However, I’m encountering multiple CSP errors due to inline scripts and styles, such as:
Refused to execute inline script because it violates the following CSP directive: "script-src 'self'".
Added CSP headers using PHP:
header("Content-Security-Policy: script-src 'self'; style-src 'self';");
Noticed several WordPress plugins and themes output inline JavaScript and inline styles.
Tried moving scripts to external files manually, but still facing issues due to dynamically injected inline scripts.
I'm aware of nonce and hash methods, but unclear how to use them effectively with WordPress functions like wp_enqueue_script() or wp_add_inline_script().
Environment:
- WordPress 6.8.1
- PHP 7.4
- Using Avada mutlipurpose theme, multiple plugins
- Hosting on Nginx
Any code examples or best practices would be appreciated!
Hello!
Quite a bit of work was done on this previously in #39941.
See this comment for how you can use CSP on the frontend now: https://core.trac.wordpress.org/ticket/39941#comment:110
To enable CSP in the admin without unsafe-inline, see this follow up ticket: #59446