Firegarden edited a comment on issue #876:
URL:
https://github.com/apache/incubator-pagespeed-mod/issues/876#issuecomment-907865383
I am applying a nonce to my inline javascript but that is being lost when
PageSpeed rewrites the scripts. Can someone code a change to just preserve the
existing nonce when it does the rewrite? Similar to how PS add the
data-pagespeed-no-defer attribute.
I have a very simple NGINX CSP implementation where I use nginx sub module
to replace a constant string with the nginx request id which works well as a
nonce until pagespeed breaks this.
# Details of how CSP Works
`add_header Content-Security-Policy "default-src 'self'; style-src
'nonce-$request_id'; script-src 'nonce-$request_id'`
constant CSP_NONCE is replaced using nginx sub module
`sub_filter_once off; sub_filter CSP_NONCE $request_id;`
Inside our html files
`<script nonce="CSP_NONCE"`
After pagespeed runs the nonce is lost. e.g.
`<script data-pagespeed-no-defer>(function(){`
We can not fully use Pagespeed today now due to it's lack of support for
even maintaining a CSP. This problem is not going away. Can someone write the
code to ensure Pagespeed will respect and reuse the existing nonce=""
attribute?
How hard can this be?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
