All: enable CSP report header on production sites

timmywil · web-flow · commit 1a47589707f9 · 2024-12-09T10:28:24.000-05:00
- disable style tag added in WordPress 6.7 Ref jquery/infrastructure-puppet#54 Closes gh-473
diff --git a/plugins/jquery-filters.php b/plugins/jquery-filters.php
@@ -88,6 +88,10 @@
 	return 1024 * 1024;
 } );
 
+// Disable the new image sizes feature.
+// It adds a style tag that would require a CSP exception.
+add_filter( 'wp_img_tag_add_auto_sizes', '__return_false' );
+
 // Allow full HTML in term descriptions.
 add_action( 'init', 'jquery_unfiltered_html_for_term_descriptions' );
 add_action( 'set_current_user', 'jquery_unfiltered_html_for_term_descriptions' );
diff --git a/themes/contribute.jquery.org/functions.php b/themes/contribute.jquery.org/functions.php
@@ -1,7 +1,7 @@
 <?php
  
 // Allow loading a Vimeo video on
-// https://local.contribute.jquery.org/markup-conventions/
+// https://contribute.jquery.org/markup-conventions/
 add_filter( 'jq_content_security_policy', function ( $policy ) {
 	$policy[ 'frame-src' ] = "'self' player.vimeo.com";
 	return $policy;
diff --git a/themes/jquery/functions.php b/themes/jquery/functions.php
@@ -256,9 +256,6 @@ function jq_image_posted_on() {
  * Content Security Policy
  */
 function jq_content_security_policy() {
-	if ( !JQUERY_STAGING ) {
-		return;
-	}
 	$nonce = bin2hex( random_bytes( 8 ) );
 	$report_url = 'https://csp-report-api.openjs-foundation.workers.dev/';
 	$policy = array(
