A client-required CSP that removes ‘unsafe-inline’ causes the site to not function.
I’ve seen other forum post replies saying that Pro and Cornerstone would not require ‘unsafe-inline’ to function.
I’ve read about nonce and hash techniques, but the number of inlne code used on the site in question is substantial. It uses many Classic Elements as it’s an older site - not sure if that would affect things.
Without deconstructing plugins to separate out the javascript, how is anyone removing ‘unsafe-inline’ while using WordPress, Pro and Cornerstone?
Hello @disadmin,
Thanks for writing to us.
Removing ‘unsafe-inline’ from your Content Security Policy can impact the site’s functionality, especially if it uses older Classic Elements in Cornerstone or Pro. While newer V2 Elements in Pro and Cornerstone are built to work without inline scripts, Classic Elements rely on them for certain features, so they will break unless those scripts are allowed via ‘unsafe-inline’. If you’d like to avoid ‘unsafe-inline’, the best approach is to update affected sections to use V2 Elements or restructure content so scripts and styles are loaded externally.
Hope it helps
Thanks
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.