WooCommerce wc_no_js Script Breaks Content Security Policy by Not Using wp_add_inline_script

Summary:

The bug report identifies a security issue where the WooCommerce plugin incorrectly outputs the `wc_no_js` script. Currently, this script is added directly via the `wp_footer()` function. This method bypasses the standard WordPress script registration and enqueuing system.

The core problem is that because the script is not added using `wp_add_inline_script()`, it does not receive a `nonce` attribute when one is configured for a Content Security Policy (CSP). Modern security practices use CSPs with nonces to prevent Cross-Site Scripting (XSS) attacks by only allowing scripts with a valid, server-generated nonce to execute. The current implementation forces site administrators to include `'unsafe-inline'` in their CSP's `script-src` directive, which significantly weakens the site's security posture by allowing any inline script to run.

The expected behavior is for the `wc_no_js` script to be added via `wp_add_inline_script()`. This would allow the `wp_inline_script_attributes` filter to apply a nonce, making the script compliant with a strict CSP without requiring the `unsafe-inline` exception.

How to Replicate:

Configure a Content Security Policy (CSP) for your WordPress site that uses a nonce for the `script-src` directive (i.e., without `'unsafe-inline'`).
Navigate to any page on the site that loads WooCommerce assets.
Observe in the browser's developer console that the `wc_no_js` script is blocked by the CSP because it lacks the required nonce attribute.

Details

Repository

woocommerce

Fixed Version

Not yet fixed.

Original URL

https://github.com/woocommerce/woocommerce/issues/61141