Currently signatures are explicitly still added, even if unsafe-inline was already present in the script-src or style-src directive. However, if your application adds a lot of hashes (for style="…" for example) and you decide to instead allow unsafe-inline in general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for example
This PR would automatically not apply any signatures, if unsafe-inline was enabled.
Currently signatures are explicitly still added, even if
unsafe-inlinewas already present in thescript-srcorstyle-srcdirective. However, if your application adds a lot of hashes (forstyle="…"for example) and you decide to instead allowunsafe-inlinein general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for exampleThis PR would automatically not apply any signatures, if
unsafe-inlinewas enabled.wdyt?