If you were to remove inline-unsave from script-src in the header, the following functions would fail in FlatPress:
PhotoSwipe, BBCode toolbar, widget management, emoticons, cookie banner.
This applies to all places where JavaScript is embedded inline.
Although CSP version 3 allows script-src inline-unsave code, there is an increased risk of cross-site scripting attacks.
In FlatPress, all inline scripts must have a nonce attribute <script nonce="rAnD0m">. Each time a FlatPress page is reloaded, a new random code is generated and assigned to the script.
This random code is also stored in the header in the CSP.
The secure modern browser only executes the inline code if the value of the nonce attribute matches that in the header.
This has already been implemented and tested on my FlatPress blog. See HTML source code
Fraenkiman
commented
2 months ago
If you were to remove
inline-unsavefromscript-srcin the header, the following functions would fail in FlatPress: PhotoSwipe, BBCode toolbar, widget management, emoticons, cookie banner. This applies to all places where JavaScript is embedded inline.Although CSP version 3 allows script-src inline-unsave code, there is an increased risk of cross-site scripting attacks.
In FlatPress, all inline scripts must have a nonce attribute
<script nonce="rAnD0m">. Each time a FlatPress page is reloaded, a new random code is generated and assigned to the script. This random code is also stored in the header in the CSP.The secure modern browser only executes the inline code if the value of the nonce attribute matches that in the header. This has already been implemented and tested on my FlatPress blog. See HTML source code
Best regards Frank