WordPress and CSP

  • I found many plugins are still not ready for CSP, so that you must specify unsafe-inline and unsafe-eval (making CSP absolutely useless).

    But, is WordPress, without any plugin installed, CSP-compliant? Or is there inline JS somewhere? I noticed some scripts but I’m not sure where are they coming from.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator bcworkz

    (@bcworkz)

    Could be, but it really isn’t. Compliance is largely theme dependent, though WP core is partly responsible for headers sent. I think with the right theme and no problematic plugins, WP could be made to be CSP compliant. We would need to rethink emoji support, but otherwise it’s pretty close.

    The key is “right theme”. I don’t think there is any theme that currently complies. One could be built, but building a good theme is non-trivial.

    Compliance is largely theme dependent, though WP core is partly responsible for headers sent.

    I didn’t know what CSP was, but I just read https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and I don’t see how CSP relates to a theme at all. Themes don’t have anything to do with the headers sent. The themes in the repository must bundle all resources used also, so there is nothing in the theme that is from external sites (exception being Google Fonts).

    Moderator bcworkz

    (@bcworkz)

    Themes and plugins can also send headers is all I meant by “partly responsible”. By default, yes core sends all headers. CSP prohibits inline scripts and styles, which many themes use for one reason or another. Off the top of my head, core inlines emoji support and customizer CSS.

    Curiously, CSP is at odds with Google’s push for mobile-centric fast page loads where inlining is encouraged.

    From what I read, you had to specify what was allowed, not that CSP prohibits it by default.
    Themes typically do not do inline scripts. At least the themes from the repository are encouraged to enqueue all scripts. There could be some inline styles, but those are done by core also. Plugins do whatever they want.

    Moderator bcworkz

    (@bcworkz)

    https://developers.google.com/web/fundamentals/security/csp/#inline_code_is_considered_harmful

    Themes outside the repository, which is a big business sadly, also do whatever they want.

    But users can put inline styles or scripts into their posts, also.

    Thread Starter islp

    (@islp)

    Sorry @bcworkz and @joy, I completely forgot this discussion.

    What I don’t understand is: why core-emoji/theme/plugin developers need to insert their JS that way?

    And: is it possible to replace something like this?

    <script type='text/javascript'>
/* <![CDATA[ */
var wp = {"apiSettings":{"root":"https:\/\/www.example.com\/wp-json\/x-x-7\/v1","namespace":"x-x-7\/v1"},"recaptcha":{"messages":{"empty":"Please verify that you are not a robot."}}};
/* ]]> */
</>

    Maybe the whole problem could be solved at the core level, with WP automatically providing CSP hashes/nonces for every unsafe script.

    Hello,
    I put my question in my own thread, but it was only half answered – I will close that thread and ask here if WordPress – not theme nor plugin – needs eval().
    I was told it needs inline scripts.

    Secondly I would like to join islp last question about the script:
    A similar or same (newbie) pops up on my index.html and it would be no great problem if I could just hash it, but for some reason it just keeps changing the hash. I already asked Stackoverflow if this is to be expected, but if somebody here has an answer, I’d be glad to hear it.

    Best Regards

    Thread Starter islp

    (@islp)

    @bz61vl0p

    Please, read here:
    https://developers.google.com/web/fundamentals/security/csp/

    (after “If you absolutely must use it …”)

    @islp

    thanks – I just had to let go of a paid theme that did

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WordPress and CSP’ is closed to new replies.