HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it. (in MS EDGE)

[jrberlin]

Expected Behavior

We load our application in a iframe and we have a Content security policy in place, with the latest update we expect the same good behavior as before with no error showing in the console during the loading of our system.

Current Behavior

We are experiencing several console errors as follows:

HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it.
(XHR)GET - (the url)

if we rollback to the previous version we had (2.6.0) these errors doesn't occur.

Steps to Reproduce (for bugs)

have a Content security police (CSP) as follows:
"default-src 'self'; script-src 'self'; style-src 'self'" unsafe-inline;

then embed in an iframe a html page with a chart, the error occurs on loading, just referencing the library in the header of the page is enough to trigger those errors

Context

The issue doesn't have impact on the functionality, just annoys the user with these error showing in the console.

Environment

• Chart.js version: 2.7.1
• Browser name and version: Microsoft Edge 40.15063.674.0 , Microsoft EdgeHTML 15.15063 and also tested with the latest version and the problem is also reproducible

[etimberg]

Duplicate of #5208