admin管理员组

文章数量:1315025

Like this blog, I use Cloudflare Workers to inject CSP (Content Security Policy) nonce in headers : /

This is functional. Next, I need to inject the nonce into all script tags. I use this script (in functions.php) :

add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {

$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

The result is not the expected one, I get this kind of code :

script type="text/javascript" nonce="&lt;?= html_escape(); ?&gt;&lt;![CDATA[html5-dom-document-internal-cdata"

The problem probably comes from this line, but I don't know how to correct it :

$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";

Does anyone have an idea ?

Like this blog, I use Cloudflare Workers to inject CSP (Content Security Policy) nonce in headers : https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/

This is functional. Next, I need to inject the nonce into all script tags. I use this script (in functions.php) :

add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {

$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

The result is not the expected one, I get this kind of code :

script type="text/javascript" nonce="&lt;?= html_escape(); ?&gt;&lt;![CDATA[html5-dom-document-internal-cdata"

The problem probably comes from this line, but I don't know how to correct it :

$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";

Does anyone have an idea ?

  • nonce
  • cloudflare
Share Improve this question asked Nov 21, 2020 at 15:53 sebfaedsebfaed 11 bronze badge 1
  • 2 You can't put PHP opening tags inside a PHP string, that doesn't make sense because you are already inside PHP. You need to join/concatenate the strings together. This isn't a WordPress problem but rather a misunderstanding of beginner level PHP. This is essentially what you've tried to do: <?php <?php ?> ?> – Tom J Nowell Commented Nov 21, 2020 at 16:21
Add a comment  | 

1 Answer 1

Reset to default 0

Thank you for your answer, you are absolutely right.

I also corrected my mistake. I'll post the code if it helps.

Code for Cloudflare Workers: https://gist.github/richie5um/b2999177b27095af13ec619e44742116

Code for Wordpress :

add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {
$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce=''";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

本文标签: CSP nonces with Cloudflare Workers

版权声明:本文标题:CSP nonces with Cloudflare Workers 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741974045a2408014.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。