Conversation
supportHi, I’m wondering if some caching & JS/CSS optimization plugins are known to work when “No unsafe-inline” plugin is enabled? I am using WP Fastest Cache and it cause issues with “No unsafe-inline” as the nonce values added in the HTML code may not match the ones in the CSP rules in the HTTP header. Also, is there a way for “No unsafe-inline” plugin to detect external scripts as the same when a random URL parameter is just added to URLs by some plugins like Yoast SEO. Regards.
you cannot use nonces with cached pages (and using hashes could be a problem due to limits in the HTTP Response header size set in your server). the plugin recognizes random parameters in urls but the match could be ineffective for strange params name. You can see the code here: https://github.com/MocioF/No-unsafe-inline/blob/main/src%2FNunil_Capture.php#L883-L911
Thanks. It would be great to allow users to add more random parameters from the UI. I have tried to use hashes for inline scripts (all cache / optimisation plugins disabled) and I cannot see any hash added to the inline HTML content while the hashed values are correctly listed in the CSP HTTP headers. It’s weird since I don’t have this issue when using the nonce option. I’ve tried it on multiple sites hosted on the same IIS 10 server + PHP 8.3 with no luck.
I will think about adding a filter to add more random parameters named. You don’t see any hash in the HTML of your pages, because this is unnecessary for csp. however, if you want/need you can use SRI (subresource integrity). Here you could find a better explanation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src https://content-security-policy.com/hash/
you cannot use nonces with cached pages (and using hashes could be a problem due to limits in the HTTP Response header size set in your server). the plugin recognizes random parameters in urls but the match could be ineffective for strange params name. You can see the code here: https://github.com/MocioF/No-unsafe-inline/blob/main/src%2FNunil_Capture.php#L883-L911
Thanks. It would be great to allow users to add more random parameters from the UI. I have tried to use hashes for inline scripts (all cache / optimisation plugins disabled) and I cannot see any hash added to the inline HTML content while the hashed values are correctly listed in the CSP HTTP headers. It’s weird since I don’t have this issue when using the nonce option. I’ve tried it on multiple sites hosted on the same IIS 10 server + PHP 8.3 with no luck.
I will think about adding a filter to add more random parameters named. You don’t see any hash in the HTML of your pages, because this is unnecessary for csp. however, if you want/need you can use SRI (subresource integrity). Here you could find a better explanation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src https://content-security-policy.com/hash/