1

One of my clients has a CSP policy that is VERY tight. And it makes it so all inline scripts are declined.

[![enter image description here][1]][1] [1]: https://i.sstatic.net/NJynA.png

So i'm looking in adding a hash or nonce to all scripts on the page, whatever is their origin (I've got some coming from things like WPML and Litespeed cache, so I can't really just manually go add it with a hook every time)

Improve this question
4
  • When you say add a hash or nonce, can you elaborate? There are several things that could mean, if what you meant was SRI then that may not solve your problem and you may also run into a brick wall trying to get some plugins to work. That CSP restriction will also cause fundamental incompatibilities, there are parts of WP Admin that can never work with the inline restriction, the kind that's generated dynamically on the fly so you can't attach SRI to it. The only reliable fix to this is to change the CSP policy Commented Dec 10, 2020 at 23:56
  • Yeah for that I'm kinda fucked. The CSP Policy has been requested by the morons in the IT department of the parent company of my client. I don't think I can go fight them on that. So I'm stuck with the CSP. Commented Dec 11, 2020 at 14:12
  • 1
    Then there is nothing you can do. Luckily this isn't your problem, tell your client you tried your best, but what they want is not possible because of the CSP policy, and there is no workaround. Without a change in the CSP policy this will never work. If they ask why, point them towards plugins, and the underscores javascript libraries template functions. Otherwise you will have to fork every plugin and fix them manually, and replace parts of WordPress core, and will have to quote them several months of fulltime work, possible a year or longer Commented Dec 11, 2020 at 20:35
  • 1
    Yeah that is what we ended up doing. Just throwing it to our client and say 'your site bugs because of the overbearing requests of your IT, deal with them if you want to have a website that works'. The site doesn't have anything to protect... (No transactions or damaging private information) So I just told them that what their IT department was asking was the security to have a safe inside a vault... to protect your Harry Potter book. Commented Dec 11, 2020 at 20:38

2 Answers 2

Reset to default
0

In case you need to add SRI to script file resources, this great approach should do the trick.

https://joshuatz.com/posts/2020/adding-extra-attributes-to-style-and-script-tags-in-wordpress/

It provides a tool to add any attribute to script and style elements added by wp_enqueue_, and has a good example there, with exactly this thought in mind.

One caveat is it works for scripts in the head and maybe not in the body right now.

*For inline scripts, I am still looking for a good solution myself.

Improve this answer
0

I have been trying to do the same thing and recently stumbled across this wordpress plugin that claims to support the creation of a Strict CSP.

https://wordpress.org/plugins/no-unsafe-inline/

It looks to still be in the early stages of development, but the reviews are positive. I will be testing on a non production server shortly.

Improve this answer
1
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review Commented Nov 7, 2022 at 11:40

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.