The plugin adds nonce header everytime

[zooks]

Hi, nice handy plugin. But I faced with a problem. I want to use plugin without scanning resources, with only setting Base Rules. But it adds "nonce" directive to content-security-policy header (style-src). And it ruins all queries with my 'unsafe-inline' setting.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https: 'nonce-469a42804b5a65f69e0e5cbde9594d1dc1691ab13c01ba1ed2f542b6c7571ab3' 'report-sample'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

content-security-policy: upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' https: 'nonce-469a42804b5a65f69e0e5cbde9594d1dc1691ab13c01ba1ed2f542b6c7571ab3'; style-src 'self' 'unsafe-inline' https: 'nonce-469a42804b5a65f69e0e5cbde9594d1dc1691ab13c01ba1ed2f542b6c7571ab3' 'report-sample'; img-src 'self' data: https:; font-src 'self' data: https:; connect-src 'self'; media-src 'self'; object-src 'none'; prefetch-src 'none'; child-src 'self'; frame-src 'self' https:; worker-src 'self'; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none';

"External source csp mode" was set to "none".

[MocioF]

Hi @zooks ,
using 'unsafe-inline' is not how "No-unsafe-inline" is intended to be used.
However, if you don't whitelist any inline script, can you try to set inline_scripts_mode to something different from "nonce" (sha256)?