Apache mod_pagespeed and Content-Security-Policy
I’m currently trying to setup my content security policy via the .htaccess file.
As for the script-src I’ve got things working pretty nicely so far with:
Header always set Content-Security-Policy-Report-Only: " script-src 'unsafe-inline' 'unsafe-eval' https://example.com:443 https://ajax.googleapis.com:443 https://ajax.cloudflare.com:443 https://v2.zopim.com:443"
However, the pagespeed static files such as https://example.com/pagespeed_static/js_defer.I4cHjq6EEP.js aren’t included despite the fact that scripts like https://v2.zopim.com/bin/v/widget_v2.257.js are also included and also placed in subfolders while I only list the root domain in the security policy.
Does this have to do with the fact that the folder /pagespeed_static/ doesn’t really exist on my server? It at least doesn’t via ftp.
How do I go about fixing this?