Created
August 7, 2017 11:52
-
-
Save bayotop/4a45744a2bca2c0d9796499586c2d6d9 to your computer and use it in GitHub Desktop.
Chrome + CSP 'strict-dynamic' + <link rel=preloaded as=script href=... />
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <head> | |
| <title>CSP strict-dynamic + preload link in Chrome</title> | |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" /> | |
| </head> | |
| <body> | |
| <script nonce="123"> | |
| var f = document.createElement("link"); | |
| f.rel = "preload"; // prefetch works perfectly fine | |
| f.href = "/foo.js" | |
| f.as = "script"; | |
| document.head.appendChild(f) | |
| </script> | |
| <!-- preloaded foo.js is never fetched as a CSP violation is triggered in latest Chrome (Version 60.0.3112.90 (Official Build) (64-bit)) --> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment