Inlining resources without explicit authorization
Authorizing and Mapping Urls and Domains
Note: New feature as of PageSpeed 22.214.171.124
InlineResourcesWithoutExplicitAuthorization directive can be used to allow resources from third-party domains to be inlined into the HTML without requiring explicit authorization for each domain. This option is “off” by default, and takes a comma-separated list of strings representing resource categories for which the option should be enabled. The list of valid resource categories is given here. Currently, only Script and Stylesheet resource types are supported for this option.
This option can be enabled as follows:
pagespeed InlineResourcesWithoutExplicitAuthorization Script,Stylesheet
InlineResourcesWithoutExplicitAuthorization could permit hostile third parties to access any machine and port that the server running mod_pagespeed has access to, including potentially those behind firewalls. Please read the following information for details.
This directive should only be enabled if all of the following conditions are met for the resource types for which this option is enabled:
- The webmaster is confident that the resources referenced on their pages are from trusted domains only.
- The site does not allow user-injected resources for the enabled resource types.
- Fetches from the PageSpeed server should have no more access to machines or ports than anyone on the Internet, and machines it can access should not treat its traffic specially. Specifically, the PageSpeed servers should not be able to access anything that is internal to a firewall. Please refer to Fetch server restrictions sections for more details.
Note that resources inlined into HTML via this option will not be accessible directly via a pagespeed URL, since that involves different security risks. Resources will also not be inlined into other non-HTML resources via this option. This means that flatten_css_imports will not flatten third-party CSS into another CSS resource, unless the relevant third-party domains are authorized explicitly via one of the techniques mentioned in the previous sections.