Can anyone see why Edge is rejecting jQuery on this page even though there's a valid CSP nonce? It's happy in Chrome and FF, what's upsetting Edge? /cc @Scott_Helme https://reporturidemos.azurewebsites.net/nonce
-
-
Replying to @troyhunt
I can't see why it's failing on CORS, this seems to be the issue:pic.twitter.com/Di51sVwpug
2 replies 0 retweets 0 likes -
Replying to @Scott_Helme @troyhunt
I’ve not done hashes before..does it require CORS the same way as SRI?
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @troyhunt
The asset is coming from a CDN that sets ACAO *.
2 replies 0 retweets 0 likes -
Replying to @Scott_Helme @troyhunt
Could they be doing something super wonky and making a credentialed request and require the non-* credentialed request CORS response?
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @troyhunt
I honestly don't think that using a nonce requires CORS, nothing in the spec about it.
2 replies 0 retweets 0 likes -
My current assessment is that this is a bug in Edge ¯\_(ツ)_/¯
1 reply 0 retweets 2 likes -
-
Yes. It looks like Edge supports nonces only for inline <script> elements, but not for external ones. See https://arturjanc.com/cgi-bin/edge-nonce.py … (all browsers except Edge show two alerts, Edge just one).
2 replies 0 retweets 3 likes
(My initial tweet had the logic backwards, I deleted it to avoid confusing people)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
