Can we make {{ghost_head}} not create inline scripts?

Currently it’s impossible to turn off ‘unsafe-inline’ in your Content-Security-Policy header, since ghost_head outputs an inline script tag. Hence, it’s impossible to achieve the highest grade on https://securityheaders.com/ for instance…

The script that’s currently output by {{ghost_head}} is for initialising the v0.1 api - which has been deprecated, as far as I know in Ghost v3 we will remove it completely :tada:

However, if you’re not using the v0.1 api - you should be able to switch it off in labs, and the script will be removed :relaxed:

@gargol Might be able to confirm this?

2 Likes

@osirisguitar which script exactly is preventing from turning off unsafe-inline? But assuming @fabien is right about the script injected by API v0.1, moving to API v2 or disabling API v0.1 should remove it and the problem will be solved :slight_smile:

Turned off the old API in labs and the script tag is gone. Thanks for your help!

Turned off ‘unsafe-inline’ and got an A+ on my header report card now :smiley:

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.