Enable style-src base rules without nonce

Please, post a link to your pages.

I think the nonce is generated because it is set as the method to allow inline style (the option is called: inline script mode).

However, why using “No unsafe-inline” to set ‘unsafe-inline’?

Hi @mociofiletto,

Thanks for your reply. My focus is on a strict policy on scripts, while being more lenient on styles where the risk is lower.

If I understand correctly, the option “inline script mode” applies to both inline scripts as styles?

Unfortunately, I’m unable to provide a URL at this time as I’m currently conducting testing within a local environment.

Yes @huubl the option impacts both on scripts and styles.

I will look at this as a feature request that implies: both to split the option for inline assets and to provide a value to allow or not to allow one kind of inline using the deployed CSP.

However, is there any particular reason why not to use nonces for styles? Maybe did you find a bug or similar?

Hi @mociofiletto ,

Thank you for your reply!

To minimize the risk of unintended breakages, I’m focusing on a strict CSP for scripts first and excludes styles for now.

The main challenge is the constant appearance of new items that require whitelisting. Some dynamic inline scripts persist after being whitelisted and refreshing the page.

• This reply was modified 6 months ago by huubl.
• This reply was modified 6 months ago by huubl.

About the second issue, it is a feature needed to collect those inline scripts while capture is enabled.

After a while you should disable capture and perform clustering. In the plugin, machine learning is used just to deal with this situation: when the plugin (not in capture mode) finds a “new” script, it tries to guess if it was generated by legitimated server code (or, better, if it is enough similar to whitelisted scripts) and then it will allow that script (and record it in the database as whitelisted, if add_wl_by_cluster_to_db is set on true).