I have setup a CSP on my website and I’m looking to make it as strict as possible. I was able to write a function that puts nonce values on all javascript that is registered through Wordpress. The problem I am coming across is that Gravity Forms is putting some javascript inline.
I don’t see a way to add nonce values to these scripts because they aren’t loaded and registered through wordpress.
Is there a way to add a nonce value to these inline scripts?
Hi Robert, I’m not sure I understand the benefit of this or what it might look like? Could you provide an example of what you’re after for one of Gravity Forms’ inline scripts?
I am revisiting this situation again today because now the reCAPTCHA 2.0 box won’t display in our forms.
The CSP is a Content Security Policy. I notice when I view the page source of my site, i see that Gravity Forms adds some javascript inline into the page.
Gravity Forms does not load the scripts the way that Wordpress had intended. Gravity Forms does not use wp_register_script or wp_enqueue_script. Put simply, they are just dropped into the page. By not registering them, it makes it impossible for me to add the nonce values to those script tags. There is no filter i am aware of to tap into the scripts the way these are being added.
Is it possible for you to update your plugin so that you use wp_register_script and wp_enqueue_script?