apply_filters( ‘wp_inline_script_attributes’, array<string, , string $data )

User Contributed Notes

1. Skip to note 3 content

   Anonymous User 3 years ago

   You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note

   This has to be used to make WP a CSP compliant system (at least, in the front end. Remains to be tested in the admin area)

   function wpdocs_add_nonce_to_scripts( $attr ) {
   	if ( 'text/javascript' !== $attr['type'] ) {
   		return $attr;
   	}
   
   	return array(
   		'type' => 'text/javascript',
   		'nonce' => '123',// Your Nonce. Obviously more featured than this example.
   	);
   }
   add_filter( 'wp_inline_script_attributes', 'wpdocs_add_nonce_to_scripts' );

   Then, you can use 'nonce-123' in your CSP Policy, example:
   "script-src 'self' 'noncoe-123';"

   • Note that this will override other attributes on the script tag. Would be better to set $attr[‘nonce’] on the existing array rather than return a new array.

     crstauf 3 years ago
2. Skip to note 4 content

   kylekeiper 3 weeks ago

   You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

   I use the following to set my nonce token on inline scripts within WordPress.

   function wpdocs_add_nonce_to_scripts( $atts ) {
       $atts['nonce'] = 'MyNonceToken';
       return $atts;
   }
   add_filter( 'wp_inline_script_attributes', 'wpdocs_add_nonce_to_scripts' );

   Then, when our web server (in our case, nginx) serves the page, we use text replacement to replace MyNonceToken with the page request ID, giving us a unique nonce token for each request. Lastly, we print the Content-Security-Policy header with the request id as the nonce token.