Back to GD Security Headers Forum

CSP unsafe-hashes question

Published on: June 10, 2022 at 8:34 am · By: ernum
Author
Topic
#74778

Hello

I wanted to ask about unsafe-hashes, will that setting come into module also?

Sucuri scan suggests that: The ‘unsafe-inline’ keyword in Content-Security-Policy is not recommended. Consider using unsafe-hashes or nonces instead.

Or is this also now doable? 🙂

Best regards

Viewing 1 replies (of 1 total)
Author
Replies
  • #74779

    Hi,

    This is very hard to implement and extremly complicated in the way WordPress works. For hashes or nonces to be used, each embeded piece of JavaScript and CSS on each page (and it can be different on each page), has to be processed, hash calculated, modified output to include hash and add hash to CSP, and build different CSP for each page. And, single page can contain 20 or more such blocks, and each has to be processed everytime page is build. And, if you use some cache plugin, it is very likely that plugin would break all that.

    Hashes/Nonces concept is all fine and well on paper, but implementing it on dynamic system like WordPress is next to impossible. So far, I have seen few website that have that, but they have one or two embedded scripts on page, most likely doesn’t change them often, so they did it, but anything more complex is impossible to do.

    So, there are no plans to implement that.

    Regards,
    Milan

    Dev4Press - Premium plugins for WordPress.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.