Content Security Policy and the plugin scripts

  • Resolved Kostiantyn Petlia

    (@kostiantynpetlia)


    2 months, 2 weeks ago

    Hi.
    I like your plugin. It does work well, but recently I’ve faced issues with Content Security Policy (CSP) implementation with your plugin.

    The best practices are not use ‘unsafe-inline’ and ‘unsafe-eval’ for scripts.

    To make a long story short, I coded the functionality of dynamic CSP (it calculates hashes or adds a nonce for inline and external scripts). Details are not so important, but I use standard WP functions and filters for scripts: wp_add_inline_script(), wp_print_inline_script_tag(), wp_localize_script(), etc. It allows me to add the SCP nonce to them or calculate hashes for them. Everything works well, but…

    Your plugin outputs inline script with an inline handler in a not appropriate way without using any WP functions or filters (‘wp_inline_script_attributes’, ‘wp_script_attributes’). At least in the mo_saml_add_sso_button(). It makes impossible to implement CSP for your scripts and forces me to make dirty tricks to fix it. It’s really sad.

    I urge you to support CSP and output JS scripts with WP functions/filters only (and don’t use inline handlers like onclick, etc.).

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support anukasha

    (@anukasha)

    Hi @kostiantynpetlia,

    We are glad to know that you like our plugin and it has been working well for you.

    Thanks for your suggestion on making the plugin compatible with CSP. Our team is currently checking the feasibility of enqueuing the scripts using WP functions for mo_saml_add_sso_button(). We would be pushing this change in the next release of the plugin, if everything looks good.

    Please let me know if you have any further questions.

    Thanks,
    Anukasha

    Thread Starter Kostiantyn Petlia

    (@kostiantynpetlia)

    Thank you for fast implementation of the changes.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Tags