Apache mod_pagespeed and Content-Security-Policy

July 23, 2018 1k views
Apache Server Optimization Ubuntu 16.04

I’m currently trying to setup my content security policy via the .htaccess file.

As for the script-src I’ve got things working pretty nicely so far with:

 Header always set Content-Security-Policy-Report-Only: " script-src 'unsafe-inline' 'unsafe-eval' https://example.com:443 https://ajax.googleapis.com:443 https://ajax.cloudflare.com:443 https://v2.zopim.com:443"

However, the pagespeed static files such as https://example.com/pagespeed_static/js_defer.I4cHjq6EEP.js aren’t included despite the fact that scripts like https://v2.zopim.com/bin/v/widget_v2.257.js are also included and also placed in subfolders while I only list the root domain in the security policy.

Does this have to do with the fact that the folder /pagespeed_static/ doesn’t really exist on my server? It at least doesn’t via ftp.

How do I go about fixing this?

Be the first one to answer this question.