load-styles and load-scripts missing a nonce

  • Hi all,

    First post, so please be gentle.

    I’m trying to harden our wordpress setup and for that I’m implementing a somewhat strict CSP. I wrote an mu-plugin that generates a nonce once per request, adds it to a HTTP header, then intercepts all script, style and link tags coming out of script_loader_tag and style_loader_tag and adds the nonce to them. However, and despite seeing the nonce in every tag that should have one when I curl the wp-login and wp-admin pages, when I view them in the browser I see a few scripts without nonces. Most notably, <link> tag that references load-styles.php (both wp-login and wp-admin) and the <script> tag calling load-scripts.php (only on wp-login, it has the nonce in wp-admin).

    My CSP is as follows:

        default-src               'self' https:;
        script-src                'self' 'nonce-$nonce' 'strict-dynamic' https:;
        style-src                 'self' 'nonce-$nonce' https:;
        font-src                  'self' https:;
        img-src                   'self' https:;
        frame-src                 'self' https:;
        worker-src                'self' blob:;
        script-src-attr           'self';
        style-src-attr            'self';
        frame-ancestors           'none';

    Am I just being too ambitious in my policy? Or is there something I can do? Preferably without having to modify WP core files and plugin files everytime there is an update, of course ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • threadi

    (@threadi)

    Without knowing your programming, my guess would be that it is executed too early. With wp-load.php probably at a time when these two files are not yet in the list. You could only find this out by debugging the core files (without changing anything in them, of course, but this way you can find out in which order what is added).

    Thread Starter nelsonsousa

    (@nelsonsousa)

    Unfortunately it runs a bit deeper than that: there’s quite a lot of wp code (even in wp core), that just echo <script> and <style> tags to the client instead of enqueuing them as they should. So there’s no nonce injecting mu-plugin that can assist there, unfortunately.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.