Firegarden edited a comment on issue #876:
URL:
https://github.com/apache/incubator-pagespeed-mod/issues/876#issuecomment-907865383
I am applying a nonce to my inline javascript but that is being lost when
PageSpeed rewrites the scripts. Can someone code a change to just preserve the
existing nonce when it does the rewrite? Similar to how PS add the
`data-pagespeed-no-defer ` attribute.
A simple NGINX CSP implementation uses the nginx sub_filter module to
replace a constant string with the current nginx request id - this works well
as a nonce until pagespeed breaks it by refactoring scripts without keeping the
nonce
# How to CSP in NGINX Details
1. Add the header
`add_header Content-Security-Policy "default-src 'self'; style-src
'nonce-$request_id'; script-src 'nonce-$request_id'`
2. Replace CSP_NONCE constant using Nginx sub module
`sub_filter_once off; sub_filter CSP_NONCE $request_id;`
3. Reference constant inside the html files
`<script nonce="CSP_NONCE"`
## Problem
Pagespeed does not respect the nonce that is being set on the scripts that
it is rewriting.
`<script data-pagespeed-no-defer>(function(){`
We can not fully use Pagespeed today now due to it's lack of support for
even maintaining a CSP. This problem is not going away.
## Proposed Solution
Can someone code the changes to ensure Pagespeed will start to respect and
reuse any existing nonce="" attributes being set?
`<script nonce="CSP_NONCE" data-pagespeed-no-defer>(function(){`
e.g. just carry over the nonce from the source scripts
Any takers?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@pagespeed.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
