If I use pdoPage with the “Load more” button, an inline script is created:
pdoPage = {callbacks: {}, keys: {}, configs: {}};
For the “Load more” button to work, I have to set the “script-src ‘unsafe-inline’” setting in the content security policy (CSP). However, this is not secure.
How can I solve this?
I guess you could try moving the code of the inline scripts to JS files or using your own JS.
The script
<script>pdoPage = {callbacks: {}, keys: {}, configs: {}};</script>
is not output if the property &frontend_startup_js is set.
The script
<script>pdoPage.initialize(' ... ')</script>
(just before </body>) can be replaced by setting the property &frontend_init_js.
I’m not sure if this works though, as there is a (variable?) “hash” value in pdoPage.initialize(...), that is then checked in the connector.
I have set it as described by you. In the CSP header, however, I then solved it with “nonce-…”.