A couple of weeks ago I sobbed because of the lack of support for “unsafe-inline” in Firefox. There’s some Mozillians working on that (for CSS, at least), but given the release-train, that’ll probably only appear around Firefox 19. While perusing CSP-related tickets in Bugzilla however, I came across an interesting comment:
Firefox expects “options inline-script eval-script” instead of “script-src ‘unsafe-inline’ ‘unsafe-eval'” which it should be per spec. Also, Firefox expects “xhr-src” instead of “connect-src”.
Come again? So I can tell Firefox to execute inline script even without support for CSP 1.0 after all? I opened up my development-version of WP DoNotTrack to rework the “proof of concept”-code into this:
function wp_donottrack_csp() {
global $listmode;
if ($listmode==="1")
$whitelist=wp_donottrack_getWhiteList(true);
$csp="default-src 'self' 'unsafe-inline' ";
if (is_array($whitelist)) {
foreach ($whitelist as $white) {
$csp.=" *.".$white;
}
}
// old-style options inline-script for firefox
$csp.="; options inline-script;";
header("X-Content-Security-Policy: " . $csp);
header("Content-Security-Policy: ". $csp);
// needed for chrome, but safari 5 (latest version on windows) might be broken?!
header("X-WebKit-CSP: " . $csp);
}
}
Based on limited testing, it indeed seems to work great this way. So maybe -if this also turns out to work in IE10 and on Safari for Windows- a next version of WP DoNotTrack can ship with CSP-support after all?
Thanks! Really helpful post.