Content-Security-Policy #68

Open
macgeneral opened this Issue Oct 22, 2016 · 3 comments

Projects

None yet

2 participants

@macgeneral

Is there a way that Autooptimize could insert a script/css 'nonce' in the script/style tag, that way I could allow scripts and css with that nonce while disallowing all others (and abandoning 'unsafe-inline').

Autooptimize is the perfect place for this feature because it already can strip all inline code, it's just missing a function to either generate a script/css hash and modifying the csp header or alternatively just adding the tag required above.

@futtta
Owner
futtta commented Oct 23, 2016

That would certainly be possible, but AO does not do that (yet). If you feel like contributing, go for it, I'll be happy to guide you in the rigth direction! :-)

@futtta futtta added the enhancement label Oct 23, 2016
@macgeneral

I'd love to if I can find some spare time in November

@futtta
Owner
futtta commented Oct 24, 2016

Great!

I would go for hashes rather then nonce's, as this would -if I understand correctly- not require AO to inject different CSP-headers for different JS/CSS files, you just need to add a CSP header stating the hash is to be checked, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment