SRI check on WP, HSTS site

[churchthecat]

I get the following error:
Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..."
for site: operalogg.com
and -50 points.
Not sure how to fix since SRI is hard to do on WP. Everything is loaded over HTTPS. remains that the following are relative URLs

Now I changed the script tag in the theme to (adding https:):

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-xxxxxxxxxx", enable_page_level_ads: true }); </script>

cleaned cache but no changes in head when checking in console.

The CDN is integrated in WP-rocket and no option to force absolute URL.
Tried better search and replace plugin, but that did not work.
Any Idea? I need to pass this score, everything is loaded securely so I don't understand why relative URLs should be such an issue?

[floatingatoll]

src=// is vulnerable to downgrade attacks. Please use src=https:// instead. Ancient browsers used to warn when https content was embedded in a page; they no longer do, so it’s no longer necessary. Unfortunately it sounds like you do not control the component in question; I recommend contacting their support and asking them to correct the issue. They're welcome to comment here if they have questions or concerns.

…

On Thu, Sep 16, 2021 at 07:05 churchthecat ***@***.***> wrote: I get the following error: Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via src="//..." for site: operalogg.com and -50 points. Not sure how to fix since SRI is hard to do on WP. Everything is loaded over HTTPS. remains that the following are relative URLs Now I changed the script tag in the theme to (adding https:): <script async src=" https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-1764137165193100", enable_page_level_ads: true }); </script> cleaned cache but no changes in head when checking in console. The CDN is integrated in WP-rocket and no option to force absolute URL. Tried better search and replace plugin, but that did not work. Any Idea? I need to pass this score, everything is loaded securely so I don't understand why relative URLs should be such an issue? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#259>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ> .

[churchthecat]

Yea thing is site is blocked by insecure requests by cloudflare, CSP and HSTS. I have tried several ways. Found the Google adscript in Divi settings and changed to Https , however headers are still src:// for that. The CDN is also src:// tried search&replace by plugin. Just got 0 on dry run there. I have a script for changing by SQL query but dont want to mess anything up by using the wrong query. How are src:// vurneble to attack on an Https only site? Really want to understand this, first time I encountered this issue.

On 16 September 2021 15:30:19 UTC, floatingatoll ***@***.***> wrote: src=// is vulnerable to downgrade attacks. Please use src=https:// instead. Ancient browsers used to warn when https content was embedded in a page; they no longer do, so it’s no longer necessary. On Thu, Sep 16, 2021 at 07:05 churchthecat ***@***.***> wrote: > I get the following error: > Subresource Integrity (SRI) not implemented, and external scripts are > loaded over HTTP or use protocol-relative URLs via src="//..." > for site: operalogg.com > and -50 points. > Not sure how to fix since SRI is hard to do on WP. Everything is loaded > over HTTPS. remains that the following are relative URLs > > Now I changed the script tag in the theme to (adding https:): > <script async src=" > https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> > <script> (adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: > "ca-pub-1764137165193100", enable_page_level_ads: true }); </script> > > cleaned cache but no changes in head when checking in console. > > The CDN is integrated in WP-rocket and no option to force absolute URL. > Tried better search and replace plugin, but that did not work. > Any Idea? I need to pass this score, everything is loaded securely so I > don't understand why relative URLs should be such an issue? > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#259>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAAWUDDIVZCTUDC7KOKKT5TUCH2RFANCNFSM5EE27TSQ> > . > -- > You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #259 (comment)

-- Sent from my Android device with K-9 Mail. Please excuse my brevity.

[churchthecat]

Thanks for the clarification in edit. It seems I got the error on another page as well. I assume that the possibility for an downgrade attack, with current settings in place are non-existent. Well at least until someone hacks google maybe :). So I will just leave this for now.
But I have to say, it does seem a bit excessive to dock 50 points on the test in this case.