CSP and AO

  • Resolved kbowson

    (@kbowson)


    4 years, 7 months ago

    Hey again Futta,

    I have been reading through security recommendations that advise putting a CSP in place, with the directive script-src ‘self’. Unfortunately, this seems to block the output of a lot of AO. The only way to get it to work is if you add ‘unsafe-inline’… which you obviously do NOT want to do.

    Any ideas here or way to fix?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Optimizing Matters

    (@optimizingmatters)

    I guess the problem is inline JS is blocked, which AO itself uses for lazyloading so that indeed would be a problem. Obviously inline JS that is not aggregated by AO (because excluded by config or excluded by code due to e.g. nonce’s) would also be blocked. But no idea how to fix I’m afraid except for unsafe-inline

    Thread Starter kbowson

    (@kbowson)

    okay, thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘CSP and AO’ is closed to new replies.