remove Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'

[wpsalvio]

Hello, our internal security team advised to remove the Content-Security-Policy headers: 'unsafe-inline', 'unsafe-eval'.

They explained that the Content Security Policy (CSP) is an HTTP response header that provides in-depth protection from critical vulnerabilities such as cross-site scripting (XSS) and clickjacking. Inline inclusion of JavaScript in HTML content is considered harmful as a large number of exploited XSS are delivered as inline code. Functions such as eval(), window.setTimeout(), and window.setImmediate() create and execute JavaScript code from strings and are considered dangerous. The CSP header disallows inclusion of inline JavaScript and unsafe eval functions. However, using unsafe-inline and unsafe-eval values for the script-src directive can bypass that restriction.

If we do it, we will block the execution of inline scripts, producing several errors and break several UI elements including most plugins we use.

Following is an example of console error we get when forcing a Content Security Policy directive: "script-src 'self' without 'unsafe-inline', 'unsafe-eval' headers on a standard WordPress installation.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ​http://www.vanilla.local ​https://ajax.googleapis.com ​https://www.google.com ​https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-sa6x1vExdinT1S8/9dgCiRo5tqcGRdDRNbPjwHRIUJU='), or a nonce ('nonce-...') is required to enable inline execution.

Is a patch from WordPress team expected to address this issue?

Thank you for your help!

[samiamnot]

@wpsalvio ,
There is an open ticket #61452 opened 9 years ago that covers this request. If it were easy to implement (without breaking millions of WordPress sites), it would have already have been done. There is also some work done as part of #51407 that is related to the above, as is #53902. Also see #39941 where some of the work was done for WordPress 5.7.
I look forward to the day that this enhanced security is available to WordPress sites.

[wpsalvio]

Thank you @samiamnot, could you please link the 9 years old ticket for my reference? You linked the one I created today by mistake... thanks again for the valuable comment!

[samiamnot]

@wpsalvio ,
Sorry about that. The old ticket I meant to reference was #32067.

[dd32]

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ​http://www.vanilla.local ​https://ajax.googleapis.com ​https://www.google.com ​https://www.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-sa6x1vExdinT1S8/9dgCiRo5tqcGRdDRNbPjwHRIUJU='), or a nonce ('nonce-...') is required to enable inline execution.

These are mostly likely to be caused by Plugins you're using, rather than WordPress itself, as a few of them don't appear to be WordPress core.

Is a patch from WordPress team expected to address this issue?

There's some work happening in #39941 & #59446 to ensure that WordPress administration areas are able to use CSP headers, but IMHO It's unlikely that WordPress itself will resolve this fully anytime soon for front-end websites, #32067 is probably the best central ticket for this.