Firegarden commented on issue #876: URL: https://github.com/apache/incubator-pagespeed-mod/issues/876#issuecomment-907865383
I am applying a nonce to my inline javascript but that is being lost when PageSpeed rewrites the scripts. What not just rewrite the existing nonce just as it writes in the data-pagespeed- addtributes I have a very simple implementation where I use nginx sub module to replace the string with the nginx request id which works as a nonce but pagespeed breaks `add_header Content-Security-Policy "default-src 'self'; style-src 'nonce-$request_id'; script-src 'nonce-$request_id'` this is available to the page as a constant CSP_NONCE and replaced using nginx sub module `sub_filter_once off; sub_filter CSP_NONCE $request_id;` this specific CSP issue is not going away. We can not fully use Pagespeed right now due to it's lack of support for CSP and it would be easy to make possible if Pagespeed will respect and reuse the existing nonce="" attribute. How hard can this be? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@pagespeed.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
