[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Sun Aug 10 07:06:19 UTC 2025
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by westonruter):
FYI: I've just published the "[https://wordpress.org/plugins/strict-csp/
Strict CSP]" plugin ([https://github.com/westonruter/strict-csp/ GitHub
repo]). It enables a Strict Content Security Policy on the frontend and
the login screen, assuming the theme and plugins are printing scripts
using the relevant APIs and not just printing `<script>` tags directly.
Once #59446 is addressed, then the plugin could also apply to the admin.
Hopefully the repo can serve as a way for us to collaborate on how a site
can opt-in to Strict CSP.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:123>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list