[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Sun Aug 10 19:48:53 UTC 2025
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| adamsilverstein
Type: enhancement | Status: closed
Priority: normal | Milestone: 5.7
Component: Security | Version: 4.8
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests commit | Focuses: javascript
has-dev-note |
-------------------------------------------------+-------------------------
Comment (by saggre):
Replying to [comment:123 westonruter]:
> FYI: I've just published the "[https://wordpress.org/plugins/strict-csp/
Strict CSP]" plugin ([https://github.com/westonruter/strict-csp/ GitHub
repo]). It enables a Strict Content Security Policy on the frontend and
the login screen, assuming the theme and plugins are printing scripts
using the relevant APIs and not just printing `<script>` tags directly.
Once #59446 is addressed, then the plugin could also apply to the admin.
Hopefully the repo can serve as a way for us to collaborate on how a site
can opt-in to Strict CSP.
Thank you for this.
There's also a separate, but related use case where the site is behind a
cache layer and thus can't output nonces directly. In this case the nonce
for safe inline scripts (scripts output via WP functions) can be marked
with a placeholder, like `**CSP_NONCE**`, and string-replaced after the
cache layer.
See here: https://scotthelme.co.uk/csp-nonce-support-in-nginx/
In these cases the response header is also usually set by the web server,
so setting `Content-Security-Policy` could be optional. I may be
interested in making a PR, but please let me know what you think.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:124>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list