Does this plugin also edit the output HTML?

  • Dragons Eye

    (@dragons-eye)


    6 years, 8 months ago

    Hello.

    I was interested in your GD Security plugin, as I am looking for ways to better-secure my WordPress site. It seems that only one CSP-related plugin may go as far as incorporating the ‘nonce=””‘ attribute to the in-line “script” and “style” tags within the HTML output.

    My question is, of course, does your plugin also edit the HTML output stream to enable the use of the script and style nonces on the generated pages properly? – This feature is very important if we want to use “nonces” for any in-line scripts/styles when using the CSP header.

    Any thoughts on this is much appreciated!

    – Jim

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Milan Petrovic

    (@gdragon)

    6 years, 8 months ago

    No,

    Plugin does’t modify HTML to generate nonces for scripts. I am thinking about that, but, right now, I am bot sure how to implement it, brcause it would need to generate different CSP for each page, making .htaccess or other server config impossible to use.

    Regards,
    Milan

    Thread Starter Dragons Eye

    (@dragons-eye)

    6 years, 8 months ago

    Actually Milan,

    It’s fairly easy to do. The other point you made about setting the CSP header in .htaccess or other server .conf files: It’s best to actually use WordPress’s “header” function to set the CSP header.

    I have a functioning example of this AND the way to modify the HTML output BEFORE it is sent to the browser. It works like a charm!

    I am currently using this code by “including” it within my theme’s “functions.php” file.

    I would be more than happy to share the coding with you, if you wish to provide me some means of contact to get it to you? (I will probably need to write a few technical specs. to go with it, so that you understand how the code works.)

    Once you understand the concept, applying it is very simple (along with a few REGEX’s like using “preg_replace()”, etc.)

    BTW: My coding example also optimizes HTML pages, so that they load a little faster too!

    Please let me know if you are interested in my solution.

    – Jim

    Plugin Author Milan Petrovic

    (@gdragon)

    6 years, 8 months ago

    I know it is easy to do, bur there are many outher things to consider: no use of server config and any cache plugin with minification will break CSP. I managed to make provisional code for some cache plugins, but most don’t have a way to be modifed properly.

    I plan to make this, but I have to solve many issues to make it usable for most.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Does this plugin also edit the output HTML?’ is closed to new replies.