Support » Plugin: Security Headers » content security policy

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author SimonRWaters

    (@simonrwaters)

    Thanks Amir

    I aim to do that in the next release.

    I am familiar with CSP, but I’ve not created a decent policy for my own WordPress site, let alone everyone else’s.

    The place you need it is mostly in the admin pages. The main take home is don’t start from here, decent CSP needs unsafe-inline, which probably means rewriting WordPress and all its plugins.

    Plugin Author SimonRWaters

    (@simonrwaters)

    This didn’t make 0.9.

    I’m still not convinced a meaningful CSP is workable with WordPress.

    Best I can imagine is some basic controls, and an easy way to add extra domains for images and scripts (and maybe fonts and styles).

    Probably better to focus on a modern blogging or CMS platform which avoids inline style, inline script, and JavaScript evaluation, or static site builders depending on the threat model.

    Thread Starter Amir

    (@repenter)

    No problem man, thanks anyway for the update 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘content security policy’ is closed to new replies.