August 11, 2014 at 10:58 am #4210
Have you looked at the impact of Content Security Policy on the forthcoming Thematic 2.0, especially the use of inline scripts and inline styles which are discouraged to prevent XSS attacks?
Here are some relevant links…August 19, 2014 at 4:25 am #4219
Thanks for the links, I was not aware of this. However, I don’t think this has any big impact on Thematic since creating a Content Security Header is plugin territory and not theme territory.
Thematic 2.0 does not write any inline scripts or styles by itself. However, it does make use of
There are some other cases where WordPress might output inline scripts or styles, and child themes can also choose to do so if they want. It will be up to any individual site owner to audit their site and decide if and how they want to implement a Content Security Policy.August 19, 2014 at 11:32 am #4221
Thanks for considering this. I understand that child themes and plugins are another issue but it would be great if standard Thematic supported CSP out of the box.
Regarding the inline script from
wp_localize_script()– instead of inlining it would it be possible to have Themnatic load it from local script file instead?
Thanks.August 20, 2014 at 4:27 am #4222
The CSP team seams to be aware of these kind of scenarios since the 1.1 draft want to include the ability to whitelist inline scripts and styles through nonces.
Thematic does support CSP, in that there is nothing hindering a site owner from adding it. Until CSP 1.1 becomes a reality though, a site owner that wants to use it will need to either
– use the
unsafe-inlinekeyword in the CSP header for
There is a ticket in WordPress trac about CSP here https://core.trac.wordpress.org/ticket/10237 It seems to have been dormant for a while though. I think WordPress’ default use of both inline styles and the
wp_localize_script()will need some work before a CSP header can be added by default.August 21, 2014 at 11:04 am #4225
Thanks for your comments. I can see it is not a straightforward fix.
Great info about the WordPress ticket that I hadn’t seen – I noticed that has now been assigned, so maybe something will happen there.
The topic ‘Thematic 2.0 and Content Security Policy’ is closed to new replies.