Hi Daniel,
Yes, Hype projects will work fine if unchecked 'optimize JavaScript". but will still show:
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
I tired both of these two inputs:
https://homewareselect.com/wp-content/uploads/hypeanimations/*
wp-content/uploads/hypeanimations/*
and also test two hype projects:
https://homewareselect.com/parallax-vdbear
https://homewareselect.com/test
Please check the screenshot:
On console, it will show:
`Failed to load resource: the server responded with a status of 404 ()`
Refused to execute https://homewareselect.com/test.hyperesources/HYPE-674.thin.min.js as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.'
Here is what think, please correct me if I am wrong:
Autoptimze take the files from the directory of wp-content, like HYPE-674.thin.min.js as MIME type, whatever the file format is.
So, this issue seems related to nginx configuration but not autoptimize or wordpress. you might like to check at
Content-Security-Policy
https://content-security-policy.com/examples/nginx/
https://github.com/nginx/nginx/blob/master/conf/mime.types
specially, this one:
On our server, we use wordops optimized nginx configuration setting:
# Common security headers
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : no-referrer, strict-origin-when-cross-origin";
more_set_headers "X-Download-Options : noopen";
# oscp settings
resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s;
resolver_timeout 10;
ssl_stapling on;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
Specifically, it is related to this setting:
more_set_headers "X-Content-Type-Options : nosniff";
So, if Autoptimze is deactivated, the info will still show up:
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
For Hype wordpress plugin, maybe the issue could be fixed if the js are loaded from the directory of wp-includes?