科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>CSP nonces with Cloudflare Workers

    CSP nonces with Cloudflare Workers

    programmeradmin0浏览0评论

    Like this blog, I use Cloudflare Workers to inject CSP (Content Security Policy) nonce in headers : /

    This is functional. Next, I need to inject the nonce into all script tags. I use this script (in functions.php) :

    add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {

$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

    The result is not the expected one, I get this kind of code :

    script type="text/javascript" nonce="&lt;?= html_escape(); ?&gt;&lt;![CDATA[html5-dom-document-internal-cdata"

    The problem probably comes from this line, but I don't know how to correct it :

    $replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";

    Does anyone have an idea ?

    Like this blog, I use Cloudflare Workers to inject CSP (Content Security Policy) nonce in headers : https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/

    This is functional. Next, I need to inject the nonce into all script tags. I use this script (in functions.php) :

    add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {

$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

    The result is not the expected one, I get this kind of code :

    script type="text/javascript" nonce="&lt;?= html_escape(); ?&gt;&lt;![CDATA[html5-dom-document-internal-cdata"

    The problem probably comes from this line, but I don't know how to correct it :

    $replace = "type='text/javascript' nonce='<?= html_escape($cspNonce); ?>'";

    Does anyone have an idea ?

    • nonce
    • cloudflare
    Share Improve this question asked Nov 21, 2020 at 15:53 sebfaedsebfaed 11 bronze badge 1
    • 2 You can't put PHP opening tags inside a PHP string, that doesn't make sense because you are already inside PHP. You need to join/concatenate the strings together. This isn't a WordPress problem but rather a misunderstanding of beginner level PHP. This is essentially what you've tried to do: <?php <?php ?> ?> – Tom J Nowell Commented Nov 21, 2020 at 16:21
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    Thank you for your answer, you are absolutely right.

    I also corrected my mistake. I'll post the code if it helps.

    Code for Cloudflare Workers: https://gist.github/richie5um/b2999177b27095af13ec619e44742116

    Code for Wordpress :

    add_filter( 'script_loader_tag', 'add_nonce_to_script', 10, 3 );
function add_nonce_to_script( $tag, $handle, $source ) {
$search = "type='text/javascript'";
$replace = "type='text/javascript' nonce=''";
$subject = $tag;

$output = str_replace($search, $replace, $subject);
return $output;
}

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论