Dynamic Schema Loading for Content Security PolicyΒ #43
Description
The Content Security Policy HTTP header should disallow unsafe-inline as a best practice. However, the schema data uses an inline script element.
Some stack overflow links which discuss this problem:
- https://stackoverflow.com/questions/29064209/does-schema-org-markup-work-if-markup-is-dynamically-built-with-javascript/29066759
- https://stackoverflow.com/questions/30864619/does-json-ld-have-to-be-embedded
- https://stackoverflow.com/questions/26892397/how-to-externalize-json-ld-and-include-in-html-doc
- https://stackoverflow.com/questions/35353103/is-there-anyway-to-use-json-ld-schema-not-inlined
Some of these questions and answers are pretty old, but the general consensus seems to be that loading an external file will not work, but loading a script which generates the JSON+LD script containing the schema data dynamically should work.
A Content Security Policy script-src directive could also include nonces, but this requires a server and may not be suitable for a statically generated site. The directive also supports hashes, but for a blog or site with a lot of pages, one may end up with a unmaintainable quantity of hashes to add to the security header.
This issue is a feature request to add support for Content Security Policies. I think the dynamic generation approach may be the only way.