Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<?php
/*
* Plugin Name: CSP
* Description: Uses inline_js() to make CSP happen
*/
add_filter('inline_js_attributes', function ($attr) {
$nonce = wp_create_nonce('csp');
return $attr . ' nonce="'.esc_attr($nonce).'" ';
});
add_action('admin_head', function () {
$nonce = wp_create_nonce('csp');
?>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-<?php echo esc_attr($nonce) ?>'">
<?php
});
@jrchamp

This comment has been minimized.

Copy link

commented Feb 6, 2018

Does wp_create_nonce reuse the value if it has already been generated? Otherwise, we'll probably hit a timing issue if the page takes a couple seconds to load. Also, we need to make sure that not-logged-in users get different nonces even if they load the page at the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.