👉 Update: The CSP issues identified by this test have been fixed! Check out the new version of this test.
This is a test case to see whether deferred inline scripts as proposed in
wordpress-develop#4391
(for
Core-39941) are compatible with
Content-Security-Policy
(CSP). Note that the scripts intended to be executed include a
nonce
of r4nd0m
. The default policy incorporates
the 'strict-dynamic'
souce expression from Google's
recommended
Strict CSP, with the addition of
unsafe-hashes
in order to accommodate the onload
event handler attributes
on the script[async]
elements.
Note that 'strict-dynamic'
is currently incompatible with the
approach taken in wpLoadAfterScripts()
because since this
function is marked as trusted, the bad deferred inline script is also
considered trusted in the process of converting it from
text/template
to text/javascript
. If you
try removing 'strict-dynamic'
from the field below and submit, you'll see that no failing conditions are
then present as when present with Strict CSP.