Hi.
I like your plugin. It does work well, but recently I’ve faced issues with Content Security Policy (CSP) implementation with your plugin.
The best practices are not use ‘unsafe-inline’ and ‘unsafe-eval’ for scripts.
To make a long story short, I coded the functionality of dynamic CSP (it calculates hashes or adds a nonce for inline and external scripts). Details are not so important, but I use standard WP functions and filters for scripts: wp_add_inline_script(), wp_print_inline_script_tag(), wp_localize_script(), etc. It allows me to add the SCP nonce to them or calculate hashes for them. Everything works well, but…
Your plugin outputs scripts in a not appropriate way without using any WP functions or filters (‘wp_script_attributes’, ‘wp_inline_script_attributes’). At least in the fix_malformed_script_link_tags(). It makes it impossible to implement CSP for your scripts and forces me to do dirty tricks to fix it. It’s really sad.
I urge you to support CSP and output JS scripts with WP functions/filters only (and don’t use inline handlers like onclick, etc.).
Thanks.