Rocket Loader CSP Rules
hey, I am trying to get rocket-loader.min.js up and running with my strict CSP rules:
default-src 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; frame-ancestors 'none'; img-src 'self'; style-src-elem 'self'; script-src 'self' 'unsafe-inline' 'strict-dynamic' 'nonce-ucmPnqpppC8CN4vHqOAoh+859cskzJ0gflqKZ//2OHI=' static.cloudflareinsights.com ajax.cloudflare.com; connect-src 'self' cloudflareinsights.com; require-trusted-types-for 'script'
based on the documentation I have added ajax.cloudflare.com but it looks like the rocket-loader is not loaded from ajax.cloudflare.com domain.
Firefox gives me such error:
Is there any way to fix it?2 Replies
https://csp-evaluator.withgoogle.com/ is really helpful for troubleshooting CSP Issues. For example, strict-dynamic is making everything but the nonce be ignored (including 'self', etc) and having the nonce makes 'unsafe-inline' ignored
CSP Evaluator
CSP Evaluator
Rocket Loader isn't very useful these days though and can break/slow down modern websites more then it helps, unless you have a website with a ton of different files js like old wordpress and such you can't manually async/defer, not too helpful