Based on my last post “SSL CERTIFICATION WITH CSP & HSTS” how to add CSP in WordPress?
Well, the short story of this v3 format of CSP, it’s easy with some know-how to implement it. In production mode, where “Analytics”, FBEvent are loaded via a .js file. It won’t work (At least for now, I’ll update the posts when I found the trick).
Let’s talk about the v3 CSP format. It’s far better than the CSP v2 format where you have to explicit tell the HTTP-Server which “sites” are allowed. In v3 you can use nonce, what a wonderful idea. In production mode, well you will find several problems, like Analytics won’t get loaded (document.createElement doesn’t have “nonce”), and I’m pretty sure if it will ever have! Code-Injection a.k.a facepalm. Site-Note: It would be not “Secure” if you can inject any code via console, why you want CSP at all… Of course you can trigger the Analytics code via WordPress injections, but this won’t be anymore async… Well complicated.
What it does?
It reads the complete output-buffer, and change it the script/style tags to a valid CSP nonce tags. That’s it.
There are currently to many, any “HTML Optimizer” use the same process like this code (Yes, since the WP core-developer missed the inline-script or localization-scripts.. there are currently no another ways.). This means Autoptimize, W3-Cache etc. won’t work. WP-Admin throws many CSP Errors and the Media-Uploader Popup is showing.