Nonces to authorize inline scripts

The plug-in provides a very straightforward means of applying nonce or hash to inline scripts and styles as needed.

For anyone who has encountered this hardship, I think it is implied by the name of the plugin.
“No unsafe-inline”

It’s a brilliant plug-in. Just activate it, and the configuration screens are very self-explanatory.

WordPress does include a nonce function, however applying nonce or hash to inline scripts and styles should really be a last resort to first trying to build the site without the use of inline scripts, and ensuring styles are contained in a external stylesheet etc. Until builders and plugins catch up, this plug-in provides a realistic means for most WP websites to achieve a CSP free of high and medium priority risks.

WordPress does include a nonce function, however applying nonce or hash to inline scripts and styles should really be a last resort

But a lot of inline scripts are created by plugins. Those are the ones that need this, we’re not adding any ourselves.

The plug-in provides a very straightforward means of applying nonce or hash to inline scripts and styles as needed.

I don’t see that anywhere. The plugin seems to just scan for needed CSP rules and suggests them for each instance.

• This reply was modified 2 months, 4 weeks ago by jamminjames.

Thanks to @jamminjames for the question and to @kojis for the answer.

Both of you are right.

At the end wp and many wp plugins are not created with strict CSP in mind. This is why this plugin adds nonce and/or hashes and all the whole stuff (and yes the statement in the description means that the plugin does it).

However there are many situation in which this plugin will fail: typically it is when some js library are used in the UI and they work by calling js primitives to add styles attributes directly in the DOM, or loading html with script and style as text in the DOM. Some situations can be managed by the plugin by overwritting js primitive (see the code in includes/js/no-unsafe-inline-fix-style.js), some can’t be.

So, at the end, this plugin will help in many situations, but the best way to achieve a really strict CSP should be to avoid the use of code that is written whiteout CSP in mind… and I don’t think it is really possible in a complex wp project.

The Gutenberg editor, is a good example of how some js functions shouldn’t be used (in my honest and unuseful opinion), but this is just an example, not a blame on Gutenberg editor (that I like).

Okay, thanks. So, I’m trying to understand exactly what your plugin does. You say, “This is why this plugin adds nonce and/or hashes” …

Does it add a static nonce or hash to the place in any plugin’s code where it calls an inline js file? Or does it add a variable for a nonce/hash, and then somehow dynamically create a new nonce or hash for every page load?

If it does one of the above, does your plugin then suggest the corresponding code to add to our CSP that references the nonce/hash (or the variable)?

Thanks.

• This reply was modified 2 months, 3 weeks ago by jamminjames.

it adds a different nonce for every page load and includes it directly in the CSP.

however, why don’t you try the plugin in a test enviroment to see how does it work?

Okay, I’ll do that. Thanks.