Hello Paul,
This is a common security challenge when balancing CSP strictness with plugin functionality. Here are several approaches to work around the Download Manager’s unsafe-inline requirement:
## Immediate Solutions
1. Use a Nonce for Inline Styles
Instead of unsafe-inline, try implementing nonces for the Download Manager’s inline styles:
Content-Security-Policy: style-src 'self' 'nonce-[your-random-nonce]'
You’ll need to add the nonce attribute to any inline <style> tags the plugin generates.
2. Hash-Based Approach
Calculate SHA256 hashes of the specific inline styles and whitelist them:
Content-Security-Policy: style-src 'self' 'sha256-[hash-of-inline-style]'
## Better Long-term Solutions
3. Extract Inline Styles
– Create a separate CSS file containing the Download Manager’s styles
– Remove the inline styles from the plugin
– Include the CSS file with style-src 'self'
## Testing Your Implementation
Use browser dev tools to identify exactly which inline styles are being blocked, then target those specific elements with nonces or hashes.
Please kindly check.
Thank you and regards
.
