CSP help

[azrael11]

Hello

I have this header csp in my .htaccess.

Header set Content-Security-Policy "script-src 'unsafe-inline' 'self' http: https://perfecteclass.com.cy; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'self' https://www.perfecteclass.com.cy;"

if i put 'strict-dynamic' in script-src scripts from the my site not loading the same result have the require-trusted-types-for 'script';
So i get B in mozilla observatory.

What can i do so i can put 'strict-dynamic' and require-trusted-types-for 'script' and the scripts of the site loading right
so i can get an A from observatory?

Thank you

[floatingatoll]

At a glance, I suspect you would need to remove unsafe-inline and replace http: with https: in your CSP definitions.

[azrael11]

At a glance, I suspect you would need to remove unsafe-inline and replace http: with https: in your CSP definitions.

i do that and the result is not working the scritps.
To give more info the site is a wordpress site with elementor pro

[floatingatoll]

Ah, it's possible that your site or your plugins are incompatible with the most-secure CSP settings, and a higher grade may not be possible.

[azrael11]

Ah, it's possible that your site or your plugins are incompatible with the most-secure CSP settings, and a higher grade may not be possible.

How can i know where is the problem in plugins or in the site?
In developer tools is see only that it cant get the scripts under this policy.

[floatingatoll]

I don't know, sorry. You would have to trace the HTML served up by Wordpress to either Wordpress itself, or to a specific plugin's insertions into that HTML, and find some other way to make it happen.

[azrael11]

I don't know, sorry. You would have to trace the HTML served up by Wordpress to either Wordpress itself, or to a specific plugin's insertions into that HTML, and find some other way to make it happen.

Thank you very much for quick response and for help.
I'll leave this issue open if there anybody knows something more.