Changes between Initial Version and Version 1 of Ticket #64683
- Timestamp:
- 04/09/2026 12:01:26 AM (5 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #64683
-
Property
Component
changed from
GeneraltoScript Loader
-
Property
Component
changed from
-
Ticket #64683 – Description
initial v1 1 On my site, we want to use a content-security-policy: https://infosec.mozilla.org/guidelines/web_security#content-security-policy. And in this policy, we would like to not include support for 'unsafe-inline' scripts.1 On my site, we want to use a [https://infosec.mozilla.org/guidelines/web_security#content-security-policy content-security-policy]. And in this policy, we would like to not include support for 'unsafe-inline' scripts. 2 2 3 We can include inline scripts, as long as they have a nonce in them. That is, instead of just a <script> tag, if they included a <script nonce="xxxxxxx">, where the nonce is generated on every page load, and if our Content-Security-Policy contains script-src 'nonce-xxxxxxxx'.3 We can include inline scripts, as long as they have a nonce in them. That is, instead of just a `<script>` tag, if they included a `<script nonce="xxxxxxx">`, where the nonce is generated on every page load, and if our Content-Security-Policy contains `script-src 'nonce-xxxxxxxx'`. 4 4 5 Some of the scripts generated by WordPress core -- and, indeed, by plugins -- print themselves out using the wp_get_inline_script_tag function. When a script does that, then our theme can add a filter on the wp_inline_script_attributeshook, which adds the nonce according to our own logic.5 Some of the scripts generated by WordPress core—and, indeed, by plugins—print themselves out using the `wp_get_inline_script_tag` function. When a script does that, then our theme can add a filter on the `wp_inline_script_attributes` hook, which adds the nonce according to our own logic. 6 6 7 However, there are some inline scripts printed by WordPress core that do not use wp_get_inline_script_tag, and with these scripts, there is no way to for our theme to add a nonce to the script tag, and therefore no way to allow these scripts to run in the context of a Content-Security-Policy that does not allow 'unsafe-inline' scripts.7 However, there are some inline scripts printed by WordPress core that do not use `wp_get_inline_script_tag`, and with these scripts, there is no way to for our theme to add a nonce to the script tag, and therefore no way to allow these scripts to run in the context of a Content-Security-Policy that does not allow 'unsafe-inline' scripts. 8 8 9 The scripts added by WordPress core are at least those that are added by wp_default_scripts. Ultimately, these are printed out using the function _print_scripts, in wp-includes/script-loader.php. It prints the script tag using9 The scripts added by WordPress core are at least those that are added by `wp_default_scripts`. Ultimately, these are printed out using the function `_print_scripts`, in `wp-includes/script-loader.php`. It prints the script tag using 10 10 11 11 {{{ … … 14 14 15 15 16 where $type_attr is either the empty string or "type='text/javascript'".16 where `$type_attr` is either the empty string or `"type='text/javascript'"`. 17 17 18 I propose that _print_scripts be changed so that instead of echoing the script directly, it constructs the code it wants to output, and prints it onto the page using wp_get_inline_script_tag, so that themes or plugins can add filters on the wp_inline_script_attributeshook to add a nonce (or do anything else).18 I propose that `_print_scripts` be changed so that instead of echoing the script directly, it constructs the code it wants to output, and prints it onto the page using `wp_get_inline_script_tag`, so that themes or plugins can add filters on the `wp_inline_script_attributes` hook to add a nonce (or do anything else). 19 19 20 20 Is that a good approach? If so, I can submit a pull request.