Rocket Loader will not work with CSP

I’m trying to apply a Content Security Policy to my site but I can’t get this to work with Rocket Loader. I followed the steps mentioned on this page by adding script-src ‘self’; to the meta tag but it still gets blocked as Rocket Loader appears to be adding in its own inline script.

Normally you would add a unique hash value to the script and add this into the allowlist but this doesn’t appear to be possible as the inline script is being added into my page afterwards.

Is there any way around this? Disabling Rocket Loader isn’t really an option here and adding ‘unsafe-inline’ rather defeats the purpose of it all.

Welcome to my world – infested with inline script and styles that keep breaking CSP.

Why isn’t disabling Rocket Loader an option? HTTP/2 does a lot to overcome why Rocket Loader was created. Locally optimized JS should take care of the rest.


Rocket Loader can be disabled. Login to your site’s settings and click through to Speed > Optimization, scroll down and there is the setting to switch Rocket Loader on or off.

Unfortunately that appears to be the only available setting for this. It would be useful if they allowed you to add a hash yourself, then I could add it to my site’s CSP.

Oh, I’m definitely familiar with that. I don’t use it and have followed the suggestions I offered:

But you said:

Which is why I asked:

I’m not sure what you mean here. A hash is derived from the JS code itself, and varies frequently as the JS source you feed into Rocket Loader changes.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.