No unsafe-inline

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy. Looking at National Vulnerability Database run by US NIST, more than 900 (March 2024) vulnerabilities are reported as XSS for Wordpress' plugins and themes. Keeping your site up-to-date with the latest versions of plugins and themes is the first line of defense to ensure your site's security. The second thing to do, is to deploy a strict Content Security Policy.

Automatic installation

1. Plugin admin panel and add new option.
2. Search in the text box No unsafe-inline.
3. Position yourself on the description of this plugin and select install.
4. Activate the plugin from the WordPress admin panel.

Manual installation of ZIP file

1. Download the .ZIP file from this screen.
2. Select add plugin option from the admin panel.
3. Select upload option at the top and select the file you downloaded.
4. Confirm installation and activation of the plugin from the administration panel.

Manual FTP installation

1. Download the .ZIP file from this screen and unzip it.
2. FTP access to your folder on the web server.
3. Copy the whole no-unsafe-inline folder to the /wp-content/plugins/ directory
4. Activate the plugin from the WordPress admin panel.

1.2.2

• Update mu-plugin to run callbacks attached to lower buffer levels and to the shutdown hook
• Extend overriding of native js functions
• Adding jqueryui v. 1.13.3 theme
• Remove legacy dependencies from distribution package
• Bug fixes

1.2.1 Bug fixes 1.2.0

• Added persistence and online (partial) training to Knn classifiers
• Added checks on startup for PHP build options
• Fixed error thrown when malfromed URL are parsed while capture is enabled
• Modified classificators tests
• Improvements at the UI

1.1.5

• Update external scripts table on plugin/theme/core update
• Added a check for PHP extension requirements on startup
• Added a polyfill to be used when PHP is built with --disable-mbregex

1.1.4

• Fix src_attrib field size for long URLs
• Remove spatie\async from codebase and use fibers to execute long processes after page output
• Fix summary report

1.1.3

• Reduce the number of capture occurences
• (dev) adding support for SCRIPT_DEBUG
• Update composer and npm dependencies
• Fix admin js for jquery deprecations
• Adding some cookie scripts to the list of scripts that do not support SRI

1.1.2

• Removed the use of 'hash-value' to allow external styles - not supported by CSP
• Removed the use of 'hash-value' to allow external images - not supported by CSP
• Added code to prune legacy external assets when pruning db
• Forced synchronous code execution

1.1.1

• Bug fixes
• Improved compatibility with PHP 8.2

1.1.0

• Moving to RubixML lib for machine-learning.
• Fixed bug in capturing tags.
• Fixed bug in pruning clusters.
• Added a mutation observer for inline styles transfered to the internal css.

1.0.2

• Fix results count error and default order in list_tables.
• Avoid sending CSP on not HTML or XML Document responses.
• Include page capture in asyncronous execution.
• Removing double conversion of nilsimsa, while clustering.

1.0.1

• Lowered priority for action and filter called on shutdown hook.
• Moved default value for inline_scripts_mode option to 'nonce'.
• Fixed server error when csp header is too long.
• Added setting to define HTTP Response Header Limit.
• Added a waiting spinner on tools' page of admin interface.

1.0.0

• First plugin submission to WordPress.org