Super888 casino login.REGISTER NOW GET FREE 888 PESOS REWARDS!

Jason LeMahieu (MadtownLems)
(@madtownlems)

5 months, 3 weeks ago

Hi there,

I’ve been tinkering with prefetch, including this plugin, and while I was able to see this plugin output the <script type=”speculationrules”>, I don’t believe it’s actually prerendering anything.

Some investigation led me to believe it’s related to our Content Security Policy. Are you able to provide any guidance or assistance on what needs to be present in a CSP in order to use the <script type=”speculationrules”> approach?

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author Weston Ruter
(@westonruter)

5 months, 3 weeks ago
Interesting. It looks like there indeed can be a conflict with CSP: https://issues.chromium.org/issues/40903589

Please share how you’ve configured your Content-Security-Policy.

Note also that the script[type=speculationrules] tag is getting printed with wp_print_inline_script_tag(). So you would be able to inject a nonce attribute on that script tag via the wp_inline_script_attributes filter.
- This reply was modified 5 months, 3 weeks ago by Weston Ruter.
Plugin Author Weston Ruter
(@westonruter)

5 months, 3 weeks ago
I just replicated this issue by enabling Strict CSP but not including a nonce attribute on the speculationrules script tag. So the key is to add the nonce attribute to that script tag as well.

This plugin which enables Strict CSP automatically adds it to the speculationrules script as well: https://gist.github.com/westonruter/c8b49406391a8d86a5864fb41a523ae9

So you can use PHP code like this:
```
add_filter(
	'wp_inline_script_attributes',
	static function ( $attributes ) {
		$attributes['nonce'] = my_csp_nonce();
		return $attributes;
	}
);
```
Where my_csp_nonce() is replaced with your logic to obtain the nonce.
Thread Starter Jason LeMahieu (MadtownLems)
(@madtownlems)

5 months, 3 weeks ago

Please share how you’ve configured your Content-Security-Policy.

We currently have no mention of script-src in it. I THINK that doing something like:
script-src ‘self’ ‘unsafe-inline’; should make it work.

Do you have a suggested method of testing whether or not this prefetching/prerendering is actually working as expected? Should I be able to watch the Network tab as I hover over links? Is there another method?

Plugin Author Weston Ruter
(@westonruter)

5 months, 3 weeks ago

Chrome DevTools has a panel specifically for debugging Speculation Rules: https://developer.chrome.com/docs/devtools/application/debugging-speculation-rules

In video form: https://developer.chrome.com/blog/devtools-tips-31

Thread Starter Jason LeMahieu (MadtownLems)
(@madtownlems)

5 months, 3 weeks ago

Awesome – thank you so much. I’ll take a look at this in the days to come and report back.

Plugin Author Weston Ruter
(@westonruter)

5 months, 3 weeks ago

Alternatively, you can add the 'inline-speculation-rules' directive value to your CSP, instead of adding a nonce. h/t @tunetheweb

Plugin Author Weston Ruter
(@westonruter)

5 months, 3 weeks ago

Correction from @tunetheweb. The 'inline-speculation-rules' directive value wouldn’t work. It would only work for Speculation Rules added via scripting. So yeah, it seems the nonce is the best bet.

Viewing 7 replies - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.