CSP: /search page needs 'unsafe-inline' for script/style


I’m trying to optimize my site and digged into Content-Security-Policies. I’m on a good path here and can secure my domain to an A+ grade regarding to https://securityheaders.com.

However, the only site, which is not in my direct control and prevents me from dropping unsafe-inline from the script-src and style-src is the /search page.
It injects Javascript and CSS styles directly into the HTML source page.

So I would like to create a feature request to @manton to maybe optimize this and instead of injecting, do a script src=… loading, because the script-src can allow e.g. https://micro.blog as “trusted” domain for this if hosted “externally”.

Without the ‘unsafe-inline’ CSP= A+: (search not working)

With ‘unsafe-inline’, search working = A, but recommendation:

That’s interesting. I don’t think there’s anything wrong about what the Search plug-in is doing there. It could be moved into a separate script file, though.