Title: Content Security Policy in WordPress? Last modified: April 8, 2018 --- # Content Security Policy in WordPress? * [gore.m](https://wordpress.org/support/users/gorem/) * (@gorem) * [8 years, 1 month ago](https://wordpress.org/support/topic/content-security-policy-in-wordpress/) * Hello, * after I spent few days to setting up Content Security Policy I ended up with question: Is it worth it? I mean if Im using Woocommerce, WPML and other plugins that output a lots of inline JS and CSS and I have my own inline JS and CSS… so it looks like almost impossible sort it out without any risk of problems. If I consider that everything should be escaped (and Im using only Woocommerce search, login and registration etc)… Is it worth it? * Thanks you - This topic was modified 8 years, 1 month ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Reason: Moved to Fixing WordPress, this is not a Developing with WordPress topic Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [8 years, 1 month ago](https://wordpress.org/support/topic/content-security-policy-in-wordpress/#post-10158607) * > after I spent few days to setting up Content Security Policy I ended up with > question: Is it worth it? * It _could be_ worth it, but it sure is a pain in the euphemism to setup. * _*Drinks coffee*_ * See [https://scotthelme.co.uk/content-security-policy-an-introduction/](https://scotthelme.co.uk/content-security-policy-an-introduction/) for more details. * If you have a too permissive CSP then that sort of defeats the purpose. Many people have a FB icon/like button, a Twitter feed in a side bar, a Youtube video etc. on their site. Without a CSP header the browser says “OK” and loads those referenced assets and scripts. It just works. * When you add CSP and you miss something then parts of your site stop working in your visitor’s browser. Not good. If you can get all of the references correct and your browser (try with Chrome and Firefox) does not complain about blocked by policy assets then you got it right. * Thread Starter [gore.m](https://wordpress.org/support/users/gorem/) * (@gorem) * [8 years, 1 month ago](https://wordpress.org/support/topic/content-security-policy-in-wordpress/#post-10158661) * I know and I agree. I forgotten to write “I got it working” – but with lower my demands. * If I understand it right using ‘unsafe-inline’ with CSP is counter-productive.(?) So**…inline JS and CSS were the most painful parts…** the best way – and maybe only one – was to use ‘self’ and aggregate all inline JS and CSS by Autoptimize. * But than I realised that I would rather dont aggregate cart and checkout page and that I need run `` **before content is loaded** (so that I hardcoded it in header template)… and Im in troubles… than I realised: Is not everything escaped yet? So… Do you think is it worth it in my case? * Maybe… main problem is that I dont exactly understand how XSS works… is it possible injects anything without input boxes etc? * Thanks you Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Content Security Policy in WordPress?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 2 replies * 2 participants * Last reply from: [gore.m](https://wordpress.org/support/users/gorem/) * Last activity: [8 years, 1 month ago](https://wordpress.org/support/topic/content-security-policy-in-wordpress/#post-10158661) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics