Hi AiTpro,
Have you looked at Content-Security-Policy headers? As you may know they are intended to provide additional protection to attacks such as XSS…. http://www.w3.org/TR/2012/CR-CSP-20121115/
I have spent a few hours on this and I still can’t get them to work without throwing up errors. 🙁 The problem I have is an inline b64 font in a css, and some complex source addresses fail to parse. Personally after playing with it for a while I have doubts if it will ever work with WP as javascript and fonts need to adhere to stringent requirements otherwise the only way to get them to work is to use ‘unsafe-inline’ which defeats the whole purpose. Anyway, just wondering if you have looked at this and if you got any further than I did. Oh, by the way the is an abandoned WP Plugin called Content Security Policy – http://wordpress.org/plugins/content-security-policy/ that was written by one of the key folks behind this at Mozilla. Unfortunately it doesn’t seem to work on 3.6, it crashed FF on me a couple of time and my dev skills are not that advanced to debug it.
This is the format…
Header set Content-Security-Policy "default-src 'self'; \
script-src 'self'; \
font-src 'self' data; \
connect-src 'self'"