Skip to:

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#7663 closed enhancement (wontfix)

Allow using Content-Security-Policy without unsafe-inline

Reported by: bymiki's profile bymiki Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.9.2
Component: I18N Keywords:
Cc: miguelglb@…


Currently when using Content-Security-Policy with BuddyPress, you must use the unsafe-inline directive because there are some blocks of inline JavaScript in BuddypPress core. This means that the browser cannot protect the user from attacks using XSS vulnerabilities. This is an unsatisfying situation because XSS vulnerabilities can be found in a great number of other WordPress plugins.

I found at least two inline JavaScript:

/* <![CDATA[ */
var BP_Confirm = {"are_you_sure":"\xxxxx"};
/* ]]> */


/* <![CDATA[ */
var BP_DTheme = {"accepted":"xxxr"};
/* ]]> */

Change History (3)

#1 @DJPaul
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for writing, @bymiki.

I can't talk for all instances, but for these two, they are dynamic variables which handle translations for UI elements. This means we can't put them into a JS file. Both come from use of WordPress' wp_localize_script() function, which means you're going to have the same problem with parts of WordPress.

I think this quite topical at the moment, because WordPress' Gutenberg feature requires translated strings, and I know there's work going into WordPress to improve and perhaps change how JS translations and other dynamic strings (nonces, etc) are handled.

See #WP10237 and #WP32067, and the myriad of linked tickets from those (#WP39941, and so on).

I think because we have so few contributors compared to WordPress (by orders of magnitude), this is an area we don't have resources to pioneer a solution for, and I'd argue we don't *need* to, given the focus in WordPress itself around this sort of area.

If a future WordPress changes the APIs in a backwards compatible fashion, BuddyPress is fixed. If the WordPress community finds a different approach to solve this, then yes, we'll update.

Thanks for the suggestion, and I apologise that I can't say "we'll fix this soon".

Last edited 7 years ago by DJPaul (previous) (diff)

#2 @DJPaul
7 years ago

  • Component changed from (not sure) to I18N

#3 @bymiki
7 years ago

  • Cc miguelglb@… added

I Understand. Thank you @DJPaul

Note: See TracTickets for help on using tickets.