-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Since release 3.2.0 there are CSP violations attempting to connect to js.monitor.azure.com (using npm not snippet) #2341
Comments
Its not actually a script that it's loading, but it is reaching out to download a json file, we documented this process here Adn we have documented how to disable this capability here |
please try disable downloading the script by following https://github.com/microsoft/ApplicationInsights-JS/blob/main/docs/WebConfig.md#disable-fetching-from-cdn please let us know if it works! |
I'm seeing the same issue. I must say that after reading the documentation it is not at all clear to me what these plugins are. A couple of questions:
|
Hi @ad-eg-dk
|
Hi There After probably 1h of 2 devs struggling with this, we understood the following:
For users like us, who already switched to connection strings after the first deprecation notice, this creates a load of unnecessary complexity, which is not needed and very badly documented. We get warnings about access to the cdn, as we have a very strict Content-Security Policy set on our app, which does not allow connecting to random new endpoints, which are not documented in any release notes. I would wish for release notes to not only contain technical changes ("feature opt in is now default for config sync and throttlemanager") which are very cryptic and not understandable at all, but also a high level description like: "hey, we now enable this so we can make others aware of the deprecation. If you already migrated, you can ignore the warnings/turn off the features." |
How can I desactivate the functions so that I don't get this error with |
Description/Screenshot
Since updating to 3.2.0 we are now getting CSP violations connecting to js.monitor.azure.com. This was not happening in 3.1.2. We are using npm and the javascript initialization, not the snippet because we have a policy of not loading scripts from external domains.
Steps to Reproduce
using npm package
Expected behavior
applicationinsights-web implemented via npm will not load javascript from an external site
Additional context
We have a very strict CSP that blocks loading of scripts from external sites.
This cause a production showstopper for us since it was not listed as a breaking change that external scripts would now be loaded
The text was updated successfully, but these errors were encountered: