This plugin enforces a Strict Content Security Policy (CSP) on the frontend and login screen. This helps mitigate cross-site scripting (XSS) vulnerabilities. The policy cannot yet be applied to the WP Admin (see #59446).
In #58664, the manual construction of script tags was eliminated from Instead, do this: So in order for scripts to execute, they must be printed using the relevant APIs in WordPress for adding scripts, including Refused to execute inline script because it violates the following Content Security Policy directive: 「script-src 『nonce-9b539cfe47』 『unsafe-inline』 『strict-dynamic』 https: http:」. Note that 『unsafe-inline』 is ignored if either a hash or nonce value is present in the source list. This also blocks scripts inside of event handler attributes, such as Warning: The use of event handler content attributes is discouraged. The mix of HTML and JavaScript often produces unmaintainable code, and the execution of event handler attributes may also be blocked by content security policies. This plugin also ensures that scripts added to the page from embeds (e.g. Tweets) also get the WP_Scripts and inline scripts on frontend/login screen, thanks to the helper functions which had previously been introduced in #39941. This made it possible to apply Strict CSP, as long as themes and plugins are not directly printing '; // ❌
}
add_action( 'wp_footer', 'my_theme_supports_js' );
function my_theme_supports_js() {
wp_print_inline_script_tag( 'document.body.classList.remove("no-js");' ); // ✅
}
add_action( 'wp_footer', 'my_theme_supports_js' );
wp_enqueue_script(), wp_add_inline_script(), wp_localize_script(), wp_print_script_tag(), wp_print_inline_script_tag(), and wp_enqueue_script_module(). Otherwise, a script』s execution will be blocked and an error will appear in the console, for example:
onclick, onchange, onsubmit, and onload. As noted on MDN:
nonce attribute added.
