[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Thu Aug 7 08:57:28 UTC 2025
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by saggre):
@amanandhishoe I think this is the wrong approach. It is simpler to trust
any inline script that has been output by functions in the WordPress API,
like `wp_add_inline_script` and discard other inline scripts. If an
external actor can output a new script tag through those functions, the
site is already compromised by other means.
Yes, there can be a case, where malicious user input is passed to the
inputs to the inline script output functions themselves, but you're still
unlikely to filter or sanitize them robustly by static analysis and the
injected payload can be obfuscated anyways.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:121>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list