helged opened a new issue #1758: ModPagespeedHonorCsp ignores that unsafe-eval is not an allowed script source URL: https://github.com/apache/incubator-pagespeed-mod/issues/1758 I just upgraded to mod_pagespeed 1.13.35.2. I hoped that I could finally get rid of `script-src 'unsafe-eval'` in my content security policy. So I added `ModPagespeedHonorCsp on` to my configuration. After removing `unsafe-eval` from the CSP, restarting Apache, and, for good measure, deleting pagespeed's disk cache, Chrome's dev tools console shows errors like the following: _Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline' https: data:"._ Comparing the count of evals before and after the change, it turns out that not a single eval has been removed my mod_pagespeed. I am referring to constructs like the following: `eval(mod_pagespeed_9iFvSnQ84y)` One of the sites running on the server is [uberagent.com](https://uberagent.com) in case you want to take a look. I reverted the change, of course. The configuration shown at `/pagespeed_admin/config` is as shown below. > Version: 14: on > > Filters > ah Add Head > cw Collapse Whitespace > cc Combine Css > jc Combine Javascript > gp Convert Gif to Png > jp Convert Jpeg to Progressive > jw Convert Jpeg To Webp > mc Convert Meta Tags > pj Convert Png to Jpeg > ws When converting images to WebP, prefer lossless conversions > ec Cache Extend Css > ei Cache Extend Images > es Cache Extend Scripts > fc Fallback Rewrite Css > if Flatten CSS Imports > hw Flushes html > ci Inline Css > ii Inline Images > il Inline @import to Link > ji Inline Javascript > js Jpeg Subsampling > ll Lazyload Images > rj Recompress Jpeg > rp Recompress Png > rw Recompress Webp > ri Resize Images > cf Rewrite Css > jm Rewrite External Javascript > jj Rewrite Inline Javascript > cu Rewrite Style Attributes With Url > cp Strip Image Color Profiles > md Strip Image Meta Data > > Options > DisableRewriteOnNoTransform (drnt) False > EnableRewriting (e) 1 > FetchHttps (fhs) enable > FileCacheInodeLimit (afcl) 500000 > FileCachePath (afcp) /var/cache/mod_pagespeed/ > FileCacheSizeKb (afc) 10240000 > HonorCsp (hcsp) True > LogDir (ald) /var/log/pagespeed > SslCertDirectory (assld) /etc/ssl/certs > StatisticsLogging (asle) True > > Domain Lawyer > > Invalidation Timestamp: Sun, 04 Mar 2018 01:09:18 GMT (1520125758000)
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
