Can your plugin do nonce?

  • Resolved Gevorg

    (@gev0rg)


    9 months, 1 week ago

    Hello

    I am currently testing your plugin for a website that I work on.

    I would like to know is it currently possible to add a “nonce” security token to all the needed content element tags? A “nonce” security token which is unique and is generated anew each time a page is loaded.

    Currently it’s possible in your plugin to add the hashes of all the content elements to the CSP, but this needs to be done manually, right? Does your plugin have any means to recognize these hashes automatically and add them to the CSP rule-set?

    Sincerely,
    Gevorg

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Milan Petrovic

    (@gdragon)

    With WordPress, this would be next to impossible. When you consider cache plugins, implementing auto nonce can’t be done without some standardization for CSS and JS that every cache plugin will adopt.

    Thread Starter Gevorg

    (@gev0rg)

    I have tried it myself with a manual solution and it was not feasible with WordPress. Each time the user makes inline changes, be it CSS or JavaScript, the new hashes need to be added to the CSP rule. And some installed plugins have the habit of loading external content belatedly, the very same thing which CSP is supposed to prevent. I have not thought about cache plugins, this may make it even more complicated.

    Plugin Author Milan Petrovic

    (@gdragon)

    Yeah, it is unlikely this can get implemented at all.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.