CSP header filter may not play well with others #290

GaryJones · 2020-06-05T10:58:06Z

This method is a filter on wp_headers action:

pwa-wp/wp-includes/class-wp-https-ui.php

Lines 343 to 346 in 330c76b

    
           public function upgrade_insecure_requests( $headers ) { 
        
           	$headers['Content-Security-Policy'] = 'upgrade-insecure-requests'; 
        
           	return $headers; 
        
           }

If there is already some code that filters wp_headers to add a value for Content-Security-Policy, then this value wipes that out without any consideration for what may already be there.

Could the method be a bit more subtle and check for the presence of a Content-Security-Policy, and append upgrade-insecure-requests if it doesn't already exist / amend the value if there is a value that would conflict with that?

The text was updated successfully, but these errors were encountered:

westonruter · 2020-06-06T03:58:18Z

Yes, that's a great point.

pooja-muchandikar · 2022-04-21T09:08:59Z

QA Passed ✅ the changes are reflecting as expected.

Before:

--

After:

westonruter added this to the 0.6 milestone Jun 6, 2020

westonruter added the https label Jun 9, 2020

westonruter modified the milestones: 0.6, 0.7 Dec 10, 2020

westonruter mentioned this issue Jul 6, 2021

Remove HTTPS detection/migration since landed in WP 5.7 #557

Merged

westonruter closed this as completed in #557 Jul 13, 2021

westonruter removed this from the 0.7 milestone Apr 29, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP header filter may not play well with others #290

CSP header filter may not play well with others #290

GaryJones commented Jun 5, 2020

westonruter commented Jun 6, 2020

pooja-muchandikar commented Apr 21, 2022

CSP header filter may not play well with others #290

CSP header filter may not play well with others #290

Comments

GaryJones commented Jun 5, 2020

westonruter commented Jun 6, 2020

pooja-muchandikar commented Apr 21, 2022