CSP and unsafe-inline

If you mean the use of inline script in front-side non-admin pages, only when you use [recaptcha] form-tags in your form it does embed inline JavaScript. Otherwise, no, it doesn’t use them.

So, I suppose this one is what you mean:

<script type='text/javascript'>
/* <![CDATA[ */
var wpcf7 = {"apiSettings":{"root":"https:\/\/www.example.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"},"recaptcha":{"messages":{"empty":"Please verify that you are not a robot."}}};
/* ]]> */
</>

Is it possible for you to update the plugin so that this script is not inline (or isn’t this even possible?).

(I’m not embedding anything in this front page, there’s no form at all)

• This reply was modified 6 years, 4 months ago by islp.
• This reply was modified 6 years, 4 months ago by islp.

Um, I didn’t count it as inline script, sorry. It’s virtually impossible to make it not inline, and I think such decisions are not reasonable.

Well, this is from Mozilla docs about Content Security Policy:

‘unsafe-inline’
Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements. You must include the single quotes.

I suppose anything contained between <script> and </script> should be considered “inline” (and “unsafe” too), but maybe I’m wrong…

(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)

• This reply was modified 6 years, 4 months ago by islp.

Maybe, this could be solved if that line could live in an external .js file