Content Security Policy (CSP) and Script Nonce Support
James Moberg
script-src 'nonce-RANDOM_BASE64' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' https: http:; object-src 'self'; base-uri 'self'; frame-ancestors 'self';
Using ColdFusion & Jsoup, We've automatically adding nonces to all whitelisted inline & remote script tags, but afterwards PageSpeed inserts its own inline scripts without nonces and are blocked. We are able to work around it by disabling the following filters when enabling the strict CSP rule:
-combine_javascript,-lazyload_images,-rewrite_images,-prioritize_critical_css
I'd prefer reenabling the above features, but can't find any PageSpeed documentation that indicates how CSP "nonce" attributes can be retained. Eval() is used for lazyloading & rewrite_images, but we don't want to globally enable 'unsafe-inline' & 'unsafe-eval'. (NOTE: Eval() could be used if nonces are added to the generated script tags.)
I found this article regarding linux version, but am not sure of the current status of IIS Web Speed:
https://github.com/apache/incubator-pagespeed-mod/wiki/Design-Doc:-Brainstorming-PageSpeed-Optimization-Products-and-Content-Security-Policy
Also, I'm not using the most recent version of IIS Web Speed (I'm still using IISpeed). Would upgrading to IIS Web Speed make any difference?
