Replies: 0
Hi,
I recently enabled the CSP (Content Security Policy) on my blog and one of the directives I’m using is script-src. I’m blocking the execution of scripts from everywhere except ‘self’ and a couple additional domains like stats.wp.com.
The thing is that when enabled I found that CF7 is adding some inline scripts to my pages, like the follwing:
<script type='text/javascript'>
/* <![CDATA[ */
var wpcf7 = {"apiSettings":{"root":"https:\/\/blog.pablofain.com\/wp-json\/contact-form-7\/v1","namespace":"contact-form-7\/v1"}};
/* ]]> */
</script><script type="text/javascript">
( function( grecaptcha, sitekey ) {
var wpcf7recaptcha = {
execute: function() {
grecaptcha.execute(
sitekey,
{ action: 'homepage' }
).then( function( token ) {
var forms = document.getElementsByTagName( 'form' );
for ( var i = 0; i < forms.length; i++ ) {
var fields = forms[ i ].getElementsByTagName( 'input' );
for ( var j = 0; j < fields.length; j++ ) {
var field = fields[ j ];
if ( 'g-recaptcha-response' === field.getAttribute( 'name' ) ) {
field.setAttribute( 'value', token );
break;
}
}
}
} );
}
};
grecaptcha.ready( wpcf7recaptcha.execute );
document.addEventListener( 'wpcf7submit', wpcf7recaptcha.execute, false );
} )( grecaptcha, '6LeRe4IUAAAAAD41ofsmEfuaiDfp4nE2D6MSFB8D' );
</script>Above mentioned scripts are being blocked by the browsers because of the CSP directives. I could prevent this by adding “unsafe-inline” to the list of allowed directives, but this is definitely making CSP pointless.
Is it possible for you to move this code out-of-line?
Thanks,
Pablo