CSP Test for WP Scripts (v2)

This is a test case to see whether deferred inline scripts as proposed in wordpress-develop#4391 (for Core-39941) are compatible with Content-Security-Policy (CSP). Note that the scripts intended to be executed include a nonce of r4nd0m. The default policy incorporates the 'strict-dynamic' souce expression from Google's recommended Strict CSP. Unlike the previous version of this CSP test was incompaible with Strict CSP, this version is fully compatible with Strict CSP (including the exclusion of 'unsafe-eval'). No longer are malicious inline scripts with an invalid nonce able to bypass CSP since we now check for it explicitly (see 81abb8b). Additionally, the 'unsafe-hashes' source expression is no longer needed since the onload event handler attributes have been removed in favor of a single capturing load event listener (see 10up#62).




    
    
    

    

    

    

    

    
@westonruter