Skip to content

Add Content Security Policy compatibility (#14) #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
celticr merged 3 commits into from
Jan 12, 2026
Merged

Add Content Security Policy compatibility (#14) #29

celticr merged 3 commits into from
Jan 12, 2026

Conversation

@celticr
Copy link
Contributor

@celticr celticr commented Jan 12, 2026
edited
Loading

Summary

  • Moves inline <style> block to external assets/css/sophia-chat.css
  • Replaces onclick handler with addEventListener in assets/js/sophia-chat.js
  • Uses data-chat-url attribute for CSP-safe URL passing
  • Properly enqueues assets via wp_enqueue_scripts hook

Test plan

  • PHP syntax check passes
  • Widget renders with external CSS
  • Click opens popup via external JS
  • Popup fallback to direct navigation works

How Verified

Manual testing: widget appears and functions correctly.

Reviewer Focus

@celticr @claude
Add Content Security Policy compatibility (#14)
7103e16 
- Moves inline styles to external CSS file
- Replaces onclick handler with addEventListener in external JS
- Uses data-chat-url attribute instead of inline JS
- Adds wp_enqueue_scripts hook for proper asset loading

Sites with strict CSP headers will no longer block the widget.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
celticr
celticr commented Jan 12, 2026
View reviewed changes
Copy link
Contributor Author

@celticr celticr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #29: Add Content Security Policy Compatibility - Review

Summary

Solid security improvement that moves inline styles and onclick handlers to external files for CSP compatibility. Well-structured approach with proper WordPress asset enqueueing.

Review Findings

Strengths:

  • Properly uses wp_enqueue_style and wp_enqueue_script with version cache-busting
  • Correctly uses esc_url() for all URL output
  • Smart use of data-chat-url attribute for CSP-safe URL passing
  • Good popup fallback pattern if popup is blocked
  • Focus styles added for accessibility (:focus outline)

Minor Issues (Low severity):

  1. Audit logging bundled with CSP changes - The PR includes audit logging functions (sophia_chat_log_change, etc.) which is outside the CSP scope. Consider splitting to a separate PR for cleaner history, though not blocking.

Tests

  • All 25 unit tests pass
  • PHP syntax validates cleanly

Recommendation: Ready to merge

This was referenced Jan 12, 2026
Merged
Merged
@celticr
Copy link
Contributor Author

celticr commented Jan 12, 2026

Update

The audit logging is now in main (merged via PR #26's branch history). This PR now contains only CSP-specific changes:

  • assets/css/sophia-chat.css - External styles with docblock
  • assets/js/sophia-chat.js - External JS with addEventListener (CSP-safe)
  • sophia-chat.php - Uses data-chat-url attribute, enqueues external assets

The split recommended in review has been achieved through the merge process.

@celticr celticr mentioned this pull request Jan 12, 2026
Closed
@celticr celticr merged commit a2cd3e2 into main Jan 12, 2026
1 check passed
@celticr celticr deleted the feature/csp-compatibility branch January 12, 2026 15:31
This was referenced Jan 12, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@celticr