Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
* Plugin Name: CSP
* Description: Uses inline_js() to make CSP happen
add_filter('inline_js_attributes', function ($attr) {
$nonce = wp_create_nonce('csp');
return $attr . ' nonce="'.esc_attr($nonce).'" ';
add_action('admin_head', function () {
$nonce = wp_create_nonce('csp');
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<?php echo esc_attr($nonce) ?>'">

This comment has been minimized.

Copy link

@jrchamp jrchamp commented Feb 6, 2018

Does wp_create_nonce reuse the value if it has already been generated? Otherwise, we'll probably hit a timing issue if the page takes a couple seconds to load. Also, we need to make sure that not-logged-in users get different nonces even if they load the page at the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment