In a previous article i mentioned that the “Disable Emojis” plugin removes requests to external servers for downloading Emoji graphics on a WordPress site. This works in the frontend (the part the user/customer visits). In the backend (the part the admin visits) there are hardcoded references to external emoji graphics., for example here:
There also does not appear to be a suitable administrative filter that could be used to patch the unwanted HTML image references out of the effective HTML sent to the browser:
https://developer.wordpress.org/apis/hooks/filter-reference/#administrative-filters
However, the user browser suppresses the loading of such external graphics if the Content-Security-Policy (CSP) header sent by the webserver includes this statement:
img-src 'self' data:;
Now, user browsers will refuse to load any images that are not from the same site or are provided as “data” attributes (i.e. inline):
- Not Being Tracked by Functions In WordPress Core
- Support For Multiple Languages in WordPress
- Adding Custom Format Buttons To tinyMCE in WordPress 4
- WordPress-Plugin to Embed Gitlab Project Information
- Removing the Builtin Inline CSS from WordPress
- WordPress Plugin to embed Gitea Repositories
- Disabling external Emojis in the WordPress Admin GUI