Hi,
I’m trying to optimize my site and digged into Content-Security-Policies. I’m on a good path here and can secure my domain to an A+ grade regarding to https://securityheaders.com.
However, the only site, which is not in my direct control and prevents me from dropping unsafe-inline
from the script-src and style-src is the /search page.
It injects Javascript and CSS styles directly into the HTML source page.
So I would like to create a feature request to @manton to maybe optimize this and instead of injecting, do a script src=… loading, because the script-src can allow e.g. https://micro.blog as “trusted” domain for this if hosted “externally”.
Without the ‘unsafe-inline’ CSP= A+: (search not working)
With ‘unsafe-inline’, search working = A, but recommendation: