CSP prevent the execution of inline script, but it's not recommended to use script-src 'unsafe-inline'; so I used the hashes of the script to allow it to execute. The problem is the hashes of the inline script are different for every page/post due to the following inline script:
The problem arise when there are two or more pages/posts in the website. Consider the following example where there are two pages/posts in the website:
Inline script for example.com/post1 where the hash is sha256-u7S9oMV/g49aCO9404X3Y98C87qUCp7kYOZPe79HeuQ=
window.CUSDIS_LOCALE = undefined
window.__DATA__ = {"host":"https://cusdis.com","appId":"appId","pageId":"pageId1","pageUrl":"https://example.com/post1/","pageTitle":"This is first post"}
Inline script for example.com/post2 where the hash is sha256-cYLu7JhrYU0FkQod2EEGCW0Hfrha/RsK6otfhvND+sA=
window.CUSDIS_LOCALE = undefined
window.__DATA__ = {"host":"https://cusdis.com","appId":"appId","pageId":"pageId2","pageUrl":"https://example.com/post2/","pageTitle":"This is second post"}
Imagine if there are hundreds of posts/pages in a website, there will be hundreds of the script hashes to be included in the CSP header.
I use Content Security Policy (CSP) header. Below is part of the CSP header:
CSP prevent the execution of inline script, but it's not recommended to use
script-src 'unsafe-inline';
so I used the hashes of the script to allow it to execute. The problem is the hashes of the inline script are different for every page/post due to the following inline script:The problem arise when there are two or more pages/posts in the website. Consider the following example where there are two pages/posts in the website:
Inline script for example.com/post1 where the hash is sha256-u7S9oMV/g49aCO9404X3Y98C87qUCp7kYOZPe79HeuQ=
Inline script for example.com/post2 where the hash is sha256-cYLu7JhrYU0FkQod2EEGCW0Hfrha/RsK6otfhvND+sA=
Imagine if there are hundreds of posts/pages in a website, there will be hundreds of the script hashes to be included in the CSP header.