Key-value pairs representing <script> tag attributes.
Only the attribute name is added to the <script> tag for entries with a boolean value, and that are true.
This has to be used to make WP a CSP compliant system (at least, in the front end. Remains to be tested in the admin area)
function wpdocs_add_nonce_to_scripts( $attr ) {
if ( 'text/javascript' !== $attr['type'] ) {
return $attr;
}
return array(
'type' => 'text/javascript',
'nonce' => '123',// Your Nonce. Obviously more featured than this example.
);
}
add_filter( 'wp_inline_script_attributes', 'wpdocs_add_nonce_to_scripts' );
Then, you can use 'nonce-123' in your CSP Policy, example: "script-src 'self' 'noncoe-123';"
Note that this will override other attributes on the script tag. Would be better to set $attr[‘nonce’] on the existing array rather than return a new array.
This has to be used to make WP a CSP compliant system (at least, in the front end. Remains to be tested in the admin area)
Then, you can use
'nonce-123'in your CSP Policy, example:"script-src 'self' 'noncoe-123';"$attr[‘nonce’]on the existing array rather than return a new array.