[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Apr 24 12:43:31 UTC 2024
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by Rahe):
Hello,
Beware with this, you do not check if the script is "malicious" or not.
You could have your content hacked and somebody add a malicious Javascript
to redirect or display something on the page, and since you authorized it
with CSP this will execute.
You should check if it's a script added with WordPress API(add_inline
etc.), this limits the possibility of malicious content.
Sme plugins don't use this API but this could be a good start :)
Nicolas,
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:116>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list