You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Correct me if I'm wrong, but as I can see, there is no way now for following scenario to work:
There is a so-called single-page application, which use client-side routing to change current view and interact with server only using AJAX calls to server API.
Application in general have very restrictive CSP
One of routes("pages") of application requires different CSP. E.g. it contains WYSIWYG editor and it must support external/data-uri images, but application in general doesn't allow them.
Because client-routed navigation between pages doesn't request new document, there is no way to provide new CSP for next page.
How could it be workarounded now:
Define CSP compatible with all application pages. Leads to too permissive CSP and defeats its purpose.
Disable client-sided navigation to/from pages that requires CSP that differ from site-wide CSP. Leads to extra traffic and bad client-side performance (browser needs to reinitialize all that js, SPA-apps are so proud of).
Possible solutions on CSP-spec level:
allow to specify multiple policies in single header with URI binding for each policy
???
The text was updated successfully, but these errors were encountered:
Correct me if I'm wrong, but as I can see, there is no way now for following scenario to work:
Because client-routed navigation between pages doesn't request new document, there is no way to provide new CSP for next page.
How could it be workarounded now:
Possible solutions on CSP-spec level:
The text was updated successfully, but these errors were encountered: