Content-Security-Policy #68

Open
macgeneral opened this Issue Oct 22, 2016 · 6 comments

Comments

4 participants
@macgeneral

Is there a way that Autooptimize could insert a script/css 'nonce' in the script/style tag, that way I could allow scripts and css with that nonce while disallowing all others (and abandoning 'unsafe-inline').

Autooptimize is the perfect place for this feature because it already can strip all inline code, it's just missing a function to either generate a script/css hash and modifying the csp header or alternatively just adding the tag required above.

@futtta

This comment has been minimized.

Show comment
Hide comment
@futtta

futtta Oct 23, 2016

Owner

That would certainly be possible, but AO does not do that (yet). If you feel like contributing, go for it, I'll be happy to guide you in the rigth direction! :-)

Owner

futtta commented Oct 23, 2016

That would certainly be possible, but AO does not do that (yet). If you feel like contributing, go for it, I'll be happy to guide you in the rigth direction! :-)

@futtta futtta added the enhancement label Oct 23, 2016

@macgeneral

This comment has been minimized.

Show comment
Hide comment
@macgeneral

macgeneral Oct 24, 2016

I'd love to if I can find some spare time in November

I'd love to if I can find some spare time in November

@futtta

This comment has been minimized.

Show comment
Hide comment
@futtta

futtta Oct 24, 2016

Owner

Great!

I would go for hashes rather then nonce's, as this would -if I understand correctly- not require AO to inject different CSP-headers for different JS/CSS files, you just need to add a CSP header stating the hash is to be checked, right?

Owner

futtta commented Oct 24, 2016

Great!

I would go for hashes rather then nonce's, as this would -if I understand correctly- not require AO to inject different CSP-headers for different JS/CSS files, you just need to add a CSP header stating the hash is to be checked, right?

@futtta

This comment has been minimized.

Show comment
Hide comment
@futtta

futtta Jun 25, 2017

Owner

I'm still interested in this (the hash-based solution) @macgeneral , a PR would be welcomed :-)

Owner

futtta commented Jun 25, 2017

I'm still interested in this (the hash-based solution) @macgeneral , a PR would be welcomed :-)

@mundschenk-at

This comment has been minimized.

Show comment
Hide comment
@mundschenk-at

mundschenk-at Feb 27, 2018

You would need to add the hash value to the CSP header. I think in practice, replacing a (secret) dummy nonce via the web server is easier at the moment.

You would need to add the hash value to the CSP header. I think in practice, replacing a (secret) dummy nonce via the web server is easier at the moment.

@johnbillion

This comment has been minimized.

Show comment
Hide comment
@johnbillion

johnbillion May 22, 2018

I'm hoping to land support for this in WordPress core: https://core.trac.wordpress.org/ticket/39941

I'm hoping to land support for this in WordPress core: https://core.trac.wordpress.org/ticket/39941

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment