Compatibility with caching & JS/CSS optimization plugins

you cannot use nonces with cached pages (and using hashes could be a problem due to limits in the HTTP Response header size set in your server).

the plugin recognizes random parameters in urls but the match could be ineffective for strange params name.

You can see the code here:

https://github.com/MocioF/No-unsafe-inline/blob/main/src%2FNunil_Capture.php#L883-L911

Thanks. It would be great to allow users to add more random parameters from the UI.

I have tried to use hashes for inline scripts (all cache / optimisation plugins disabled) and I cannot see any hash added to the inline HTML content while the hashed values are correctly listed in the CSP HTTP headers. It’s weird since I don’t have this issue when using the nonce option. I’ve tried it on multiple sites hosted on the same IIS 10 server + PHP 8.3 with no luck.

I will think about adding a filter to add more random parameters named.

You don’t see any hash in the HTML of your pages, because this is unnecessary for csp.

however, if you want/need you can use SRI (subresource integrity).

Here you could find a better explanation:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

https://content-security-policy.com/hash/