Autoptimize Pro with Content Security Policy

Hi there,

I’m considering switching to Autoptimize Pro from NitroPack but I want to make sure the problem I’m facing with Nitro can be resolved with Autoptimize. I don’t seem to find a place to submit questions regarding the Pro version so I’m posting here. Please let me know if there’s a dedicated contact for this kind of matter.

The problem:

I’m implementing Content Security Policy on my site and everything works when the page is not cached. However, with NitroPack injecting scripts and styles into the cached page, the inline code gets blocked by CSP.

Take scripts for example, this is what my script-src looks like:

script-src ‘strict-dynamic’ ‘nonce-myNonce==’;

‘strict-dynamic’ with an accompanying hash or nonce (I’m using nonce here) will allow the script tags that have the nonce (and all scripts they load) to load. But there seems to be no way to add my nonce to top level Nitro scripts and therefor they are blocked.

On top of that, NitroPack also appends some sources (the bolded ones below) to my script-src. These include ‘unsafe-inline’ & ‘unsafe-eval’ which defeat the purpose of using CSP. The actual directive looks like this in the response:

script-src ‘strict-dynamic’ ‘nonce-myNonce==’ blob: ‘unsafe-inline’ ‘unsafe-eval’ https://cdn-ilcnagb.nitrocdn.com/ https://nitroscripts.com/;

So what I want to know is, with Autoptimize Pro’s page caching, is there a way to add my PHP generated nonce to the injected scripts and styles so these resources don’t get blocked?

I hope this makes sense. You can check the console errors in the page link for more details. When appending “?nonitro=yes” to the end of the url to bust the cache, no errors are in the console.

Please let me know when you have a chance.

Thanks,
Angus

The page I need help with: [log in to see the link]