The corporate IT department of the client for whom we just launched a Bricks website is demanding that we fix the “unsafe” tag of our reported Content Security Policy, which is currently displayed as “default-src * ‘unsafe-inline’ ‘unsafe-eval’ data: blob:;” when they run Security Scorecard.
A couple of other posts on this board mention CSP issues, but I am not seeing a solution. It is implied that if I were simply to use htaccess to deploy a “strict” policy, Bricks will will break.
When you Google the unsafe vs strict CSP issue, one of the suggested fixes is to give inline elements a “nonce” — but I do not know how to achieve that. The version of Bricks we are running does leverage the recently implemented “code-signing” feature – is that considered a “nonce”?
What kind of breakage might I expect if I implement a strict CSP via htaccess or a plugin? Will it affect just the editing interface, or will it break the front-facing website?
Any practical suggestions on how to solve this issue to satisfy the client’s IT folks would be appreciated!
I should mention that the site is hosted on WP Engine, which does not offer a solution other than editing htaccess or using a plugin.