CSP: Bypass the cache for JS/CSS

  • Resolved JCV

    (@psykonevro)


    1 month ago

    Hi,

    I’m a Content Security Policy, and I would like to level up the security of my website. I’d like to use nonces, which I already get added in every CSS/JS of the pages.

    However, since CSP nonces are generated for every single page visit, I’m looking for a way to bypass for certain page sections (links, javascripts) the cache and generate a new nonce.

    Could you help me? I asked for your help 6 months ago in another topic.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @psykonevro

    Thank you for reaching out and I am happy to help!

    In the W3 Total Cache, there is no optimion to exclude specific files or the pages form Browser Cache options or to bypass this. This can only be done manually with some custom rules in the .htaccess. So there is no way that this can be done via the W3 Total Cache settings.
    I would advise you to create a custom rule which will apply to the specific files/paths and pages.

    Thanks!

    Thread Starter JCV

    (@psykonevro)

    Hi @vmarko

    Thanks for your response.
    However, I don’t see how to use a htaccess for CSP. Would you mind giving an exemple? I.m using CSP with a nonce, you can’t generate nonces for CSP in htaccess, as long as I know.
    Would it be instead possible to add a extra bit in generated pages (I would use a preg_replace(), i.e.)? I would need what is the latest hook utilised by W3TC to generate the cache ao I could modify it.
    Thanks.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @psykonevro

    Thank you for your feedback.
    I am sorry, however, this is outside of the W3 Total Cache scope. I cannot give you a straight answer on how to actually achieve this, I can only say that it cannot be done via the W3 Total Cache.
    Different rules may be applied for specific paths and you can see the W3TC rules for CSP in .htaccess: Header set Content-Security-Policy "base-uri 'self'"

    To achieve what you are asking needs a custom rules that Unfortunately are way out of W3TC scope.

    Thanks!

    Thread Starter JCV

    (@psykonevro)

    Thanks. My first point is outside W3TC scope, I understand (what you suggest is changing CSP policy, which I doesn’t want, I’m very serious about security).

    I however ask you again regarding the second point: could you share whether there is a hook to change the W3TC final output?

    Thanks.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @psykonevro

    Thank you for your feedback.
    No there is no hook for this. I’ll have to check with the team and see if there possibility to add this.

    Thanks!

    Thread Starter JCV

    (@psykonevro)

    Looking forward to it. I guess it would be a nice feature for plugins developpers.

    Thanks!

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @psykonevro

    Thank you for your patience.
    We will be adding filters in the next release including a filter for this particular scenario so please check the next update of the plugin.

    Thanks!

    Thread Starter JCV

    (@psykonevro)

    Hi @vmarko

    This is great, thank you so much! Looking forward to next release of your plugin!

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.

Tags