javascript - Adding nonce or hashes to inline scripts

One of my clients has a CSP policy that is VERY tight. And it makes it so all inline scripts are declined.

So i'm looking in adding a hash or nonce to all scripts on the page, whatever is their origin (I've got some coming from things like WPML and Litespeed cache, so I can't really just manually go add it with a hook every time)

One of my clients has a CSP policy that is VERY tight. And it makes it so all inline scripts are declined.

So i'm looking in adding a hash or nonce to all scripts on the page, whatever is their origin (I've got some coming from things like WPML and Litespeed cache, so I can't really just manually go add it with a hook every time)

• javascript
• hooks

Share Improve this question edited Dec 11, 2020 at 16:30 fuxia♦ 107k3838 gold badges255255 silver badges459459 bronze badges asked Dec 10, 2020 at 21:46 Fredy31Fredy31 87822 gold badges1515 silver badges3131 bronze badges 4

• When you say add a hash or nonce, can you elaborate? There are several things that could mean, if what you meant was SRI then that may not solve your problem and you may also run into a brick wall trying to get some plugins to work. That CSP restriction will also cause fundamental incompatibilities, there are parts of WP Admin that can never work with the inline restriction, the kind that's generated dynamically on the fly so you can't attach SRI to it. The only reliable fix to this is to change the CSP policy – Tom J Nowell ♦ Commented Dec 10, 2020 at 23:56
• Yeah for that I'm kinda fucked. The CSP Policy has been requested by the morons in the IT department of the parent company of my client. I don't think I can go fight them on that. So I'm stuck with the CSP. – Fredy31 Commented Dec 11, 2020 at 14:12
• 1 Then there is nothing you can do. Luckily this isn't your problem, tell your client you tried your best, but what they want is not possible because of the CSP policy, and there is no workaround. Without a change in the CSP policy this will never work. If they ask why, point them towards plugins, and the underscores javascript libraries template functions. Otherwise you will have to fork every plugin and fix them manually, and replace parts of WordPress core, and will have to quote them several months of fulltime work, possible a year or longer – Tom J Nowell ♦ Commented Dec 11, 2020 at 20:35
• 1 Yeah that is what we ended up doing. Just throwing it to our client and say 'your site bugs because of the overbearing requests of your IT, deal with them if you want to have a website that works'. The site doesn't have anything to protect... (No transactions or damaging private information) So I just told them that what their IT department was asking was the security to have a safe inside a vault... to protect your Harry Potter book. – Fredy31 Commented Dec 11, 2020 at 20:38

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 0

In case you need to add SRI to script file resources, this great approach should do the trick.

https://joshuatz.com/posts/2020/adding-extra-attributes-to-style-and-script-tags-in-wordpress/

It provides a tool to add any attribute to script and style elements added by wp_enqueue_, and has a good example there, with exactly this thought in mind.

One caveat is it works for scripts in the head and maybe not in the body right now.

*For inline scripts, I am still looking for a good solution myself.

I have been trying to do the same thing and recently stumbled across this wordpress plugin that claims to support the creation of a Strict CSP.

https://wordpress.org/plugins/no-unsafe-inline/

It looks to still be in the early stages of development, but the reviews are positive. I will be testing on a non production server shortly.