@arturjanc @mikewest are you aware of a strict-dynamic bug in Canary where loading a script from cache throws this?pic.twitter.com/Pego1PYmVv
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Oh, interesting! @we1x recently filed https://github.com/w3c/webappsec-csp/issues/161 … but it wasn't a bug in Chrome last time we checked.
Do you have a repro URL?
I found it: including crossorigin="anonymous" on a relative url, when subsequently loaded from cache, is blocked.
relative url or fully qualified URL that loads from the page origin, aka, !crossorigin. ;)
Let's see if I can host a demo.
Great, I think Mike is just itching to do some coding so I'm sure he'll be willing to take a look soon :)
ok here's a noisy demo: https://csp-demo-152522.appspot-preview.com
on fresh or hard reload, no CSP errors. On reload from cache, 'foo.js' will be 'blocked', but then loads anyway.
'bar.js' is the same except lacking the crossorigin='anonymous' attribute. All scripts have integrity attrs.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.