Skip to content

Commit

Permalink
All: add Content-Security-Policy-Report-Only header to all wordpress …
Browse files Browse the repository at this point in the history
  • Loading branch information
timmywil committed Aug 19, 2024
1 parent 799f789 commit c16a9ff
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 1 deletion.
8 changes: 8 additions & 0 deletions themes/api.jquery.com/functions.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?php

// Allow inline scripts and styles in API demos
add_filter( 'jq_content_security_policy', function ( $policy ) {
$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
return $policy;
} );
7 changes: 7 additions & 0 deletions themes/api.jquerymobile.com/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,10 @@ function jq_mobile_api_version_current() {
$thisVersion[ 1 ] :
jq_mobile_api_version_latest();
}

// Allow inline scripts and styles in API demos
add_filter( 'jq_content_security_policy', function ( $policy ) {
$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
return $policy;
} );
7 changes: 7 additions & 0 deletions themes/api.jqueryui.com/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,10 @@ function jq_ui_api_version_current() {
$thisVersion[ 1 ] :
jq_ui_api_version_latest();
}

// Allow inline scripts and styles in API demos
add_filter( 'jq_content_security_policy', function ( $policy ) {
$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
return $policy;
} );
36 changes: 36 additions & 0 deletions themes/jquery/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -251,3 +251,39 @@ function jq_image_posted_on() {

return $classes;
} );

/**
* Content Security Policy
*/
function jq_content_security_policy() {
$nonce = wp_create_nonce( JQUERY_LIVE_SITE );
$policy = array(
'default-src' => "'self'",
'script-src' => "'self' 'nonce-$nonce' code.jquery.com",
// The SHA is for the inline style from typesense
// 'unsafe-hashes' is required in order to use hashes in style-src
'style-src' => "'self' 'nonce-$nonce' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog=' 'unsafe-hashes'",
// data: SVG images are used in typesense
'img-src' => "'self' data:",
'connect-src' => "'self' typesense.jquery.com",
'font-src' => "'self'",
'object-src' => "'none'",
'media-src' => "'self'",
'frame-src' => "'self'",
'child-src' => "'self'",
'form-action' => "'self'",
'frame-ancestors' => "'none'",
'base-uri' => "'self'",
'block-all-mixed-content' => '',
'report-uri' => 'https://csp-report-api.openjs-foundation.workers.dev/',
);

$policy = apply_filters( 'jq_content_security_policy', $policy );

$policy_string = '';
foreach ( $policy as $key => $value ) {
$policy_string .= $key . ' ' . $value . '; ';
}

header( 'Content-Security-Policy-Report-Only: ' . $policy_string );
}
2 changes: 1 addition & 1 deletion themes/jquery/header.php
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
<?php jq_content_security_policy() ?>
<!doctype html>
<html class="no-js" <?php language_attributes(); ?>>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">

<title><?php
global $page, $paged;
wp_title( '|', true, 'right' );
bloginfo( 'name' );
$site_description = get_bloginfo( 'description', 'display' );
Expand Down

0 comments on commit c16a9ff

Please sign in to comment.