CSP blocked onload js that pagespeed injected
238 views
Skip to first unread message
PantelejmoN
Oct 24, 2018, 10:52:51 AM10/24/18
to mod-pagespeed-discuss
Hi,
This is line where I get warrning from CSP. It's blocked because "onload=" part. I added: ModPagespeedHonorCsp on
But error is still here.
Pagespeed version: 1.13.35.2-0.x86_64
How can I solve this?
<p>test</p><p><img class="posted_image zoomable" src="https://www.XXXX.XXX/XXX.jpg" srcset="https://www.XXXX.XXX/XXX.jpg 1242w, https://www.XXXX.XXX/XXX.jpg 828w, https://www.XXXX.XXX/XXX.jpg 625w, https://www.XXXX.XXX/XXX.jpg 414w" sizes="(max-width: 30em) 414px, (max-width: 65em) 744px, 607px" onclick="PopEx(this,null,null,0,0,50,'pb-img-on shrinkable');" data-pagespeed-url-hash="1400652517" onload="pagespeed.CriticalImages.checkImageForCriticality(this);"></p><p>test image</p><p><img class="posted_image zoomable" src="https://www.XXXX.XXX/XXX.jpg" srcset="https://www.XXXX.XXX/XXX.jpg 828w, https://www.XXXX.XXX/XXX.jpg 625w, https://www.XXXX.XXX/XXX.jpg 414w, https://www.XXXX.XXX/XXX.jpg 1000w" sizes="(max-width: 30em) 414px, (max-width: 65em) 744px, 607px" onclick="PopEx(this,null,null,0,0,50,'pb-img-on shrinkable');" data-pagespeed-url-hash="204305278" onload="pagespeed.CriticalImages.checkImageForCriticality(this);"></p> </div> <div class="msgsignature quiet smaller"><p>last edited <span title='Feb 14, 2017'>1 year ago</span> by admin </p></div>This is line where I get warrning from CSP. It's blocked because "onload=" part. I added: ModPagespeedHonorCsp on
But error is still here.
Pagespeed version: 1.13.35.2-0.x86_64
How can I solve this?
Longinos
Oct 24, 2018, 2:18:39 PM10/24/18
to mod-pagespeed-discuss
Hi
I think is because CSP consider harmfull any inlined script or event handler. At the moment I think the only way to do it is adding unsafe-inline in the
script-src policy
PantelejmoN
Oct 25, 2018, 12:36:15 PM10/25/18
to mod-pagespeed-discuss
I know that CSP consider it as harmfull. Your solution works, but I'm using "nonce", also. Is there a way for me to add my "nonce" to injected js code by pagespeed?
Joshua Marantz
Oct 25, 2018, 12:40:07 PM10/25/18
to mod-pagesp...@googlegroups.com
not currently, but that was discussed in the past.
we have a very basic level of CSP support in pagespeed but not that yet. A volunteer to work on that would be awesome, if you are so inclined :)
--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/a4c94c47-dfd3-41ad-8401-6e96445bb08e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
PantelejmoN
Oct 25, 2018, 1:56:52 PM10/25/18
to mod-pagespeed-discuss
I just read it and I think they will accept only complicated solution that will make things even worse.
They could just create VirtualZone settings like:
If one of them is not empty, add it in static js code that pagespeed injects.
If they are both empty, do things like you do it now.
end of story.
But, since they are thirsty of complication since April 2015, no one can help them.
They could just create VirtualZone settings like:
pagespeed-nonce
pagespeed-shaIf one of them is not empty, add it in static js code that pagespeed injects.
If they are both empty, do things like you do it now.
end of story.
But, since they are thirsty of complication since April 2015, no one can help them.
Reply all
Reply to author
Forward
0 new messages