Skip to content

Prod release #705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
snim2 merged 16 commits into from
Sep 5, 2025
Merged

Prod release #705

snim2 merged 16 commits into from
Sep 5, 2025

Conversation

@snim2
Copy link
Contributor

@snim2 snim2 commented Sep 5, 2025

Tighten the CSP so that src-scripts no longer has unsafe-inline but instead validates a nonce on every script.

snim2 and others added 16 commits August 29, 2025 08:32
@snim2
Add Gravatar to secure image sources in CSP
62fb284
@snim2
Only suppply a CSP on the front-end of the site
fc7d683 
We expect that styles and scripts rendered in the admin
dashboard will not be filterable, so only supply a
CSP for the front-end.
@snim2
Add Plausible script via wp_print_script_tag
1e1c36b 
So we can use it with a CSP.
@snim2
Remove unsafe-inline from script-src in CSP
ad6946d 
And add a nonce to all enqueued scripts.
@snim2
Refactor: lift nonce generation to method
ff8ec27
@snim2
Do not supply a CSP on the WP login page
0216f58
@snim2
Release v1.1.0 of advisories-headers
4010b19
@snim2
Remove all support for user avatars
c97e526 
In preparation for removing gravatar.com from the CSP.
@snim2
Remove gravatar.com from the CSP
60180fe
@snim2
Release v2.0.0 of advisories-headers
fdb79ac
@snim2
Merge pull request #699 from dxw/chore/tighten-content-security-policy
cad14ab 
Chore/tighten content security policy
@snim2
FIX: whitespace
d4c8ab9
@snim2
refactor: move logic into addContentSecurityPolicy
918c8d7 
Make addContentSecurityPolicy solely responsible for deciding
when to add a CSP to a page. Applies SRP.
@snim2
Correctly generate CSP for front page
309131e 
Previously a bug in the implementation of is_login() caused
CSPs to be omitted for any page which partially matched the
path '/wp-login.php' including '/'.

Now, we work around that by checking SCRIPT_NAME in the
superglobal directly.

See:
    https://core.trac.wordpress.org/ticket/63896#ticket
@snim2
Release v2.1.0 of advisories-headers
e5bb732
@snim2
Merge pull request #704 from dxw/fix/front-page-should-have-csp
ece1261 
Fix/front page should have csp
@snim2 snim2 merged commit 7bf45c0 into main Sep 5, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leedxw leedxw leedxw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@snim2 @leedxw