relative inclusion of snippets causes CSP issues
-
When including snippets, a relative URL will be used, like:
<script src=’//domain.tld/wp-content/uploads/custom-css-js/160.js?v=5555′></script>
However, this relative URI (although perfectly valid) causes CSP (Content Security Policy) alerts as content may also be fetched using insecure protocols. In essence, the protocol-relative URI does not match the ‘self’ target in a CSP. As result, the “Subresource Integrity” check kicks in and due to lack of hashes (why would you do this on an internal server) the score of a page is downgraded.Would it be possible to inherit the URI scheme from the WordPress site or make it configurable instead of using a protocol-relative one?
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘relative inclusion of snippets causes CSP issues’ is closed to new replies.