@arturjanc @mikewest are you aware of a strict-dynamic bug in Canary where loading a script from cache throws this?pic.twitter.com/Pego1PYmVv
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I found it: including crossorigin="anonymous" on a relative url, when subsequently loaded from cache, is blocked.
relative url or fully qualified URL that loads from the page origin, aka, !crossorigin. ;)
Let's see if I can host a demo.
Great, I think Mike is just itching to do some coding so I'm sure he'll be willing to take a look soon :)
ok here's a noisy demo: https://csp-demo-152522.appspot-preview.com
on fresh or hard reload, no CSP errors. On reload from cache, 'foo.js' will be 'blocked', but then loads anyway.
'bar.js' is the same except lacking the crossorigin='anonymous' attribute. All scripts have integrity attrs.
CSP is using strict-dynamic with nonces, no hashes, so I think SRI is interfering w/ CSP when loading from cache.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.