28 Jul 2017

CSP v3 in WordPress?

CSP v3 in WordPress?

Based on my last post “SSL CERTIFICATION WITH CSP & HSTS” how to add CSP in WordPress?

Well, the short story of this v3 format of CSP, it’s easy with some know-how to implement it. In production mode, where “Analytics”, FBEvent are loaded via a .js file. It won’t work (At least for now, I’ll update the posts when I found the trick).

Let’s talk about the CSPv3 format. It’s far better than the CSPv2 format where you have to explicit tell the HTTP-Server which “sites” are allowed. In v3 you can use nonce, what a wonderful idea. In production mode, well you will find several problems, like Analytics won’t get loaded (document.createElement doesn’t have “nonce”), and I’m pretty sure if it will ever have! Code-Injection a.k.a facepalm. Site-Note: It would be not “Secure” if you can inject any code via console, why you want CSP at all… Of course you can trigger the Analytics code via WordPress injections, but this won’t be anymore async… Well complicated.

Now what I’ve came up by my research snipping a plugin together. First, make the mu-plugins folder, than add the plugin (Within the folder).

What it does?

It reads the complete output-buffer, and change it the script/style tags to a valid nonce tags. That’s it.


There are currently to many, any “HTML Optimizer” use the same process like this code (Yes, since the WP core-developer missed the inline-script or localization-scripts.. there are currently no another ways.). This means Autoptimize, W3-Cache etc. won’t work. WP-Admin throws many CSP Errors and the Media-Uploader Popup is showing.


Leave a Reply

Your email address will not be published. Required fields are marked *