Currently signatures are explicitly still added, even if unsafe-inline was already present in the script-src or style-src directive. However, if your application adds a lot of hashes (for style="…" for example) and you decide to instead allow unsafe-inline in general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for example
This PR would automatically not apply any signatures, if unsafe-inline was enabled.
Currently signatures are explicitly still added, even if
unsafe-inline
was already present in thescript-src
orstyle-src
directive. However, if your application adds a lot of hashes (forstyle="…"
for example) and you decide to instead allowunsafe-inline
in general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for exampleThis PR would automatically not apply any signatures, if
unsafe-inline
was enabled.wdyt?