Thematic 2.0 and Content Security Policy

Home Forums Using Thematic ( without a child theme ) Thematic 2.0 and Content Security Policy

This topic is: not resolved

This topic contains 4 replies, has 2 voices, and was last updated by  silas 3 years, 1 month ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #4210

    silas
    Participant

    Have you looked at the impact of Content Security Policy on the forthcoming Thematic 2.0, especially the use of inline scripts and inline styles which are discouraged to prevent XSS attacks?

    Here are some relevant links…

    http://www.w3.org/TR/CSP11/
    http://cspisawesome.com/
    http://www.cspplayground.com/compliant_examples#inlinescripts
    http://www.cspplayground.com/compliant_examples#style

    #4219

    middlesister
    Keymaster

    Thanks for the links, I was not aware of this. However, I don’t think this has any big impact on Thematic since creating a Content Security Header is plugin territory and not theme territory.

    Thematic 2.0 does not write any inline scripts or styles by itself. However, it does make use of wp_localize_script() in which some javascript is output inline before the closing body tag.

    There are some other cases where WordPress might output inline scripts or styles, and child themes can also choose to do so if they want. It will be up to any individual site owner to audit their site and decide if and how they want to implement a Content Security Policy.

    #4221

    silas
    Participant

    Thanks for considering this. I understand that child themes and plugins are another issue but it would be great if standard Thematic supported CSP out of the box.

    Regarding the inline script from wp_localize_script() – instead of inlining it would it be possible to have Themnatic load it from local script file instead?

    Thanks.

    #4222

    middlesister
    Keymaster

    Unfortunately the way it is now, wp_localize_script() is necessary. It is used to pass variables from php to javascript, variables that can be changed via filtering in a child theme. Hard coding these variables in the js file means child themes has no easy control over some aspects such as the animation of the menu and the breakpoint for the mobile menu.

    The CSP team seams to be aware of these kind of scenarios since the 1.1 draft want to include the ability to whitelist inline scripts and styles through nonces.

    Thematic does support CSP, in that there is nothing hindering a site owner from adding it. Until CSP 1.1 becomes a reality though, a site owner that wants to use it will need to either

    – use the unsafe-inline keyword in the CSP header for script-src
    OR
    – replace the Thematic javascript file with its own in the child theme. That is dequeue the Thematic script and enqueue a custom javascript file with all variables hard-coded in the script.

    There is a ticket in WordPress trac about CSP here https://core.trac.wordpress.org/ticket/10237 It seems to have been dormant for a while though. I think WordPress’ default use of both inline styles and the wp_localize_script() will need some work before a CSP header can be added by default.

    #4225

    silas
    Participant

    Thanks for your comments. I can see it is not a straightforward fix.

    Great info about the WordPress ticket that I hadn’t seen – I noticed that has now been assigned, so maybe something will happen there.

Viewing 5 posts - 1 through 5 (of 5 total)

The topic ‘Thematic 2.0 and Content Security Policy’ is closed to new replies.