Bryce Wray
Bryce Wray
I currently use Cloudflare Pages; am thinking this might be some way it can be done with a Cloudflare Worker, but it'll have to be spelled out by better brains...
Yes, figuring out how to get the same nonce or hash in both Eleventy and CFP at build time is the issue. Easy enough to generate them on the Eleventy...
I can do the headers, yes; currently doing that in a Cloudflare Worker pointed to my domain, which in fact is how I implement the CSP. What I can't figure...
One more question: if using `strict-dynamic`, am I correct that this precludes the use of third-party scripts (such as for YouTube embeds), since one obviously can't control them but can...
The scripts in question would be in an iframe over which I have no control, so that's a no-go. Besides, it would appear this is a non-starter for an SSG-based...
Another one of interest that I may try (Cloudflare-specific): https://github.com/moveyourdigital/cloudflare-worker-csp-nonce
@connorjclark I appreciate your indulging me. :-) If you're asking me that last question: I know that, ever since I put a CSP on my site, the best I can...
@connorjclark https://lighthouse-dot-webdotdevsite.appspot.com//lh/html?url=https%3A%2F%2Fwww.brycewray.com%2F . . . presumably due to: ```js {id: 'csp-xss', weight: 0, group: 'best-practices-trust-safety'}, ``` Incidentally, the note about `report-uri` in that link I gave doesn't quite square with...
> I'm pretty sure this bug has been fixed in a later version than 8.0.0 #11862. > > EDIT: looks like it was [8.1.0](https://github.com/GoogleChrome/lighthouse/releases/tag/v8.1.0), "Best practices" gets 100 on the...
> I think strict-dynamic should only be enforced on pages that load multiple scripts. For pages that load one or zero external scripts, I don't see enough benefit over just...