Adsense / OneSignal & ‘unsafe-inline’ ‘unsafe-eval’

CSP article at https://developers.google.com/web/fundamentals/security/csp/ has ideas on how to make this happen. For scripts you control, turn them into included scripts rather than inline scripts. You could also try the ‘strict-dynamic’ to see if that propagates the white list to include these included styles and scripts or even using hash/nonces to allow the Ad related scripts but without opening yourself to more malicious scripts.

I have a version of WP CSP that adds nonce’s to scripts/styles and the CSP header which should allow ‘strict-dynamic’ to work – however, my third party scripts are not compatible with ‘stricty-dynamic’ as they load items directly into the DOM. I will contact you for you to test the new version see if it meets your needs.

I’d love to try that version out Dylan. Ive not had time to play with Strict Dynamic yet but did read all the links you posted. It sure will create a much cleaner CSP if I can get this right.

One of the links you posted mentions getting harmony between default-src and child-src if I understood it correctly ???

You can drop me a line on [email protected] with the WS CSP version with noonces ??

I was working on the nonce code this afternoon and fixed all problems except one I’m having with a plugin (Revolution Slider). I will need to work out if I have support with them (is it Themepunch?. Meanwhile, it looks like it will meet your needs.

Is this version with Nonces planned to be released soon or available anywhere? I’d love to kill Unsafe Inline in my script-src but at the moment it’s basically impossible, and I can’t find anything else that’ll set up a nonce for you in WordPress.