Skip to content

Update Jetpack_Notifications::print_js() to be CSP-compatible #45878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 13, 2025
Merged

Update Jetpack_Notifications::print_js() to be CSP-compatible #45878

merged 5 commits into from
Nov 13, 2025
+17 −11

Conversation

@westonruter
Copy link
Contributor

@westonruter westonruter commented Nov 11, 2025

Proposed changes:

To be compatible with CSP, the nonce attribute needs to be able to be inserted into SCRIPT tags generated by WordPress. This is made possible when using wp_print_script_tag() and wp_print_inline_script_tag().

This has been slowly rolling out to WordPress core. For context, see these Trac tickets:

This also improves the exporting of data from PHP to JS per https://sirre.al/2025/08/06/safe-json-in-script-tags-how-not-to-break-a-site/

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

  1. Install the Strict CSP plugin.
  2. Ensure the admin bar Notes 🔔 dropdown works on the frontend.

@github-actions github-actions bot added the [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ label Nov 11, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 11, 2025
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly:
    • Scheduled release: December 2, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@github-actions github-actions bot added [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. OSS Citizen This Pull Request was opened by an Open Source contributor. labels Nov 11, 2025
@tbradsha tbradsha requested review from a team and sirreal November 12, 2025 14:39
@sirreal
Copy link
Member

sirreal commented Nov 13, 2025
edited
Loading

Thanks @westonruter, this looks great. I'd like to push a change to simplify the script, it doesn't seem like there's a reason to use an output buffer and wrap in <script> only to remove it later. I'll push a change for that and verify that it's still working correctly.

I'll update this comment as I perform testing.

Before (linked):

	<script data-ampdevmode type="text/javascript">
/* <![CDATA[ */
	var wpNotesIsJetpackClient = true;
	var wpNotesIsJetpackClientV2 = true;
		/* ]]> */
</script>

Before (unlinked):

	<script data-ampdevmode type="text/javascript">
/* <![CDATA[ */
	var wpNotesIsJetpackClient = true;
	var wpNotesIsJetpackClientV2 = true;
			var wpNotesLinkAccountsURL = 'https://example.com/wp-admin/admin.php?page=jetpack';
/* ]]> */
</script>

2e3d5a2

After (linked):

	<script data-ampdevmode>
		
		var wpNotesIsJetpackClient = true;
		var wpNotesIsJetpackClientV2 = true;
				
		
</script>

After (unlinked):

	<script data-ampdevmode>
		
		var wpNotesIsJetpackClient = true;
		var wpNotesIsJetpackClientV2 = true;
					var wpNotesLinkAccountsURL = "https://example.com/wp-admin/admin.php?page=jetpack";
				
		
</script>

With no output buffer

Linked:

	<script data-ampdevmode>
var wpNotesIsJetpackClient = true;
var wpNotesIsJetpackClientV2 = true;
</script>

Unlinked:

	<script data-ampdevmode>
var wpNotesIsJetpackClient = true;
var wpNotesIsJetpackClientV2 = true;
var wpNotesLinkAccountsURL = "https://example.com/wp-admin/admin.php?page=jetpack";
</script>

@sirreal sirreal added [Status] Ready to Merge Go ahead, you can push that green button! and removed [Status] Needs Author Reply We need more details from you. This label will be auto-added until the PR meets all requirements. labels Nov 13, 2025
sirreal
sirreal previously approved these changes Nov 13, 2025
View reviewed changes
Copy link
Member

@sirreal sirreal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I've left a more detailed testing report here: #45878 (comment)

@westonruter if you're happy with the additional adjustments I've made, this seems ready to merge.

@sirreal
Copy link
Member

sirreal commented Nov 13, 2025

I've also followed these steps and the notifications bell works. A nonce attribute is added to the relevant script tag: <script data-ampdevmode nonce="{{Nonce value}}">

Install the Strict CSP plugin.
Ensure the admin bar Notes 🔔 dropdown works on the frontend.

tbradsha
tbradsha reviewed Nov 13, 2025
View reviewed changes
@sirreal @tbradsha
Use nowdoc
8ae55d9 
Co-authored-by: tbradsha <32492176+tbradsha@users.noreply.github.com>
@westonruter
Copy link
Contributor Author

westonruter commented Nov 13, 2025

Thanks @westonruter, this looks great. I'd like to push a change to simplify the script, it doesn't seem like there's a reason to use an output buffer and wrap in <script> only to remove it later. I'll push a change for that and verify that it's still working correctly.

@sirreal Thanks. Not a big deal, but the reason for this is is to have syntax highlighting in the IDE. This is previously discussed in Core-58664 with a follow-up in Core-59444. It's the reason for why wp_remove_surrounding_empty_script_tags() was introduced in core. What I see with my patch in PhpStorm:

image

Versus the latest changes:

image

Granted, the nowdoc you're using achieves much of the same effect at least in the first part of the JS, which is also discussed in Core-59444, albeit with the annoying thing you can't indent the final delimiter until we can bump PHP to 7.3.

Anyway, I don't feel strongly about this. It's a trivial amount of JS in any case, so the syntax highlighting is not really needed anyway.

Thanks for following up!

@sirreal sirreal added the Reviewer Can Merge PR author indicates the reviewer is free to merge/deploy if they want to own the change. label Nov 13, 2025
@tbradsha tbradsha merged commit d000f02 into Automattic:trunk Nov 13, 2025
61 of 63 checks passed
@github-actions github-actions bot removed the [Status] Ready to Merge Go ahead, you can push that green button! label Nov 13, 2025
@github-actions github-actions bot added this to the jetpack/15.3 milestone Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tbradsha tbradsha tbradsha left review comments

@sirreal sirreal sirreal left review comments

Assignees

No one assigned

Labels

OSS Citizen This Pull Request was opened by an Open Source contributor. [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ Reviewer Can Merge PR author indicates the reviewer is free to merge/deploy if they want to own the change.

Projects

None yet

Milestone

jetpack/15.3

Development

Successfully merging this pull request may close these issues.

3 participants

@westonruter @sirreal @tbradsha