Skip to content

Instantly share code, notes, and snippets.

@mallorydxw
Created February 17, 2017 20:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save mallorydxw/e2aee45ad5cb2a309c6bd0fc213efb97 to your computer and use it in GitHub Desktop.
Save mallorydxw/e2aee45ad5cb2a309c6bd0fc213efb97 to your computer and use it in GitHub Desktop.
<?php
/*
* Plugin Name: CSP
* Description: Uses inline_js() to make CSP happen
*/
add_filter('inline_js_attributes', function ($attr) {
$nonce = wp_create_nonce('csp');
return $attr . ' nonce="'.esc_attr($nonce).'" ';
});
add_action('admin_head', function () {
$nonce = wp_create_nonce('csp');
?>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<?php echo esc_attr($nonce) ?>'">
<?php
});
@jrchamp
Copy link

jrchamp commented Feb 6, 2018

Does wp_create_nonce reuse the value if it has already been generated? Otherwise, we'll probably hit a timing issue if the page takes a couple seconds to load. Also, we need to make sure that not-logged-in users get different nonces even if they load the page at the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment