CSP is injected by Litespeed Cache Plugin?

  • Resolved luminsol

    (@luminsol)


    3 years, 4 months ago

    Hi guys,

    I have my own Content Security Policy, but notice with the LiteSpeed cache plugin enabled, it injects the following to the response header:

    content-security-policy-report-only: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' 'unsafe-eval' data:;

    This generates a tonne of warnings when using Google fonts. In particular with the webfontloader.js:

    [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Josefin+Sans:400,600,700%7COpen+Sans:300,400,700&display=swap' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

h @ webfontloader.min.js:1
l @ webfontloader.min.js:1
X.load @ webfontloader.min.js:1
(anonymous) @ webfontloader.min.js:1
t.load @ webfontloader.min.js:1
(anonymous) @ webfontloader.min.js:1
(anonymous) @ webfontloader.min.js:1

    Is there any way to disable the injection of this CSP header?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support qtwrk

    (@qtwrk)

    Hi,

    I don’t think LSCWP will add CSP header, I just search through the code , didn’t find anything related to CSP

    Best regards,

    Thread Starter luminsol

    (@luminsol)

    Thanks for the reply.

    It is strange, because when I disable the LS cache plugin, the CSP header is gone. When re-enabled, it’s back.

    Plugin Support qtwrk

    (@qtwrk)

    Hi,

    interesting

    please create a ticket by mail to support at litespeedtech.com with reference link to this topic

    Best regards,

    @luminsol
    Did you try ‘strict-dynamic’?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘CSP is injected by Litespeed Cache Plugin?’ is closed to new replies.