CSP Test for WP Scripts

👉 Update: The CSP issues identified by this test have been fixed! Check out the new version of this test.

This is a test case to see whether deferred inline scripts as proposed in wordpress-develop#4391 (for Core-39941) are compatible with Content-Security-Policy (CSP). Note that the scripts intended to be executed include a nonce of r4nd0m. The default policy incorporates the 'strict-dynamic' souce expression from Google's recommended Strict CSP, with the addition of unsafe-hashes in order to accommodate the onload event handler attributes on the script[async] elements.

Note that 'strict-dynamic' is currently incompatible with the approach taken in wpLoadAfterScripts() because since this function is marked as trusted, the bad deferred inline script is also considered trusted in the process of converting it from text/template to text/javascript. If you try removing 'strict-dynamic' from the field below and submit, you'll see that no failing conditions are then present as when present with Strict CSP.




    
    
    

    

    

    

    

    
@westonruter