[wp-trac] [WordPress Trac] #32067: Remove inline javascript from WP-Core to allow CSP protection
WordPress Trac
noreply at wordpress.org
Mon May 4 02:48:59 UTC 2026
#32067: Remove inline javascript from WP-Core to allow CSP protection
---------------------------------+-----------------------------
Reporter: anonymized_14391430 | Owner: (none)
Type: feature request | Status: assigned
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: close | Focuses: javascript
---------------------------------+-----------------------------
Changes (by westonruter):
* keywords: => close
Comment:
I believe this is largely resolved with #39941 and #58664, with the
exception of #64683 for concatenated scripts. Most scripts are now printed
via `wp_get_inline_script_tag()` and `wp_get_script_tag()` which include
filters for the attributes so that the CSP `nonce` can be inserted. This
includes `wp_localize_script()`.
What is remaining is #59446 to ensure that scripts constructed in the
admin use the helper functions. Also, #51407 is open for tracking the
removal of inline event handlers which cannot be marked as secure with
nonces.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32067#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list