[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection

WordPress Trac noreply at wordpress.org
Thu Apr 23 01:04:51 UTC 2015


#32067: Remove inline javascript from WP-Core to allow CSP protection
-----------------------------+------------------------------
 Reporter:  tdelmas          |       Owner:
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Security         |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by dd32):

 Unfortunately this just isn't going to be possible for WordPress to add.
 WordPress historically has support for inline JS, both being emitted by
 core (Emoji in 4.2 is a good example) and user-added (inline Javascript in
 posts is allowed if you're an administrator).

 While CSP is a great mechanism, and should definitely be used on sites
 that need it (I'd suggest a plugin), it doesn't make sense by default in
 WordPress IMHO.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list