A couple of weeks ago I sobbed because of the lack of support for “unsafe-inline” in Firefox. There’s some Mozillians working on that (for CSS, at least), but given the release-train, that’ll probably only appear around Firefox 19. While perusing CSP-related tickets in Bugzilla however, I came across an interesting comment:
Firefox expects “options inline-script eval-script” instead of “script-src ‘unsafe-inline’ ‘unsafe-eval'” which it should be per spec. Also, Firefox expects “xhr-src” instead of “connect-src”.
Come again? So I can tell Firefox to execute inline script even without support for CSP 1.0 after all? I opened up my development-version of WP DoNotTrack to rework the “proof of concept”-code into this:
function wp_donottrack_csp() { global $listmode; if ($listmode==="1") $whitelist=wp_donottrack_getWhiteList(true); $csp="default-src 'self' 'unsafe-inline' "; if (is_array($whitelist)) { foreach ($whitelist as $white) { $csp.=" *.".$white; } } // old-style options inline-script for firefox $csp.="; options inline-script;"; header("X-Content-Security-Policy: " . $csp); header("Content-Security-Policy: ". $csp); // needed for chrome, but safari 5 (latest version on windows) might be broken?! header("X-WebKit-CSP: " . $csp); } }
Based on limited testing, it indeed seems to work great this way. So maybe -if this also turns out to work in IE10 and on Safari for Windows- a next version of WP DoNotTrack can ship with CSP-support after all?