Can I enable style-src base rules without creating a nonce?
I set style-src: 'self' 'unsafe-inline' https: in base rules and set style-src to none in settings “Select CSP mode for selected directives”. But a a nonce is still generated.
Yes @huubl the option impacts both on scripts and styles.
I will look at this as a feature request that implies: both to split the option for inline assets and to provide a value to allow or not to allow one kind of inline using the deployed CSP.
However, is there any particular reason why not to use nonces for styles? Maybe did you find a bug or similar?
To minimize the risk of unintended breakages, I’m focusing on a strict CSP for scripts first and excludes styles for now.
The main challenge is the constant appearance of new items that require whitelisting. Some dynamic inline scripts persist after being whitelisted and refreshing the page.
This reply was modified 2 months, 2 weeks ago by huubl.
This reply was modified 2 months, 2 weeks ago by huubl.
About the second issue, it is a feature needed to collect those inline scripts while capture is enabled.
After a while you should disable capture and perform clustering. In the plugin, machine learning is used just to deal with this situation: when the plugin (not in capture mode) finds a “new” script, it tries to guess if it was generated by legitimated server code (or, better, if it is enough similar to whitelisted scripts) and then it will allow that script (and record it in the database as whitelisted, if add_wl_by_cluster_to_db is set on true).
