The asset is coming from a CDN that sets ACAO *.
-
-
Replying to @Scott_Helme @troyhunt
Could they be doing something super wonky and making a credentialed request and require the non-* credentialed request CORS response?
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @troyhunt
I honestly don't think that using a nonce requires CORS, nothing in the spec about it.
2 replies 0 retweets 0 likes -
My current assessment is that this is a bug in Edge ¯\_(ツ)_/¯
1 reply 0 retweets 2 likes -
-
Yes. It looks like Edge supports nonces only for inline <script> elements, but not for external ones. See https://arturjanc.com/cgi-bin/edge-nonce.py … (all browsers except Edge show two alerts, Edge just one).
2 replies 0 retweets 3 likes -
*bangs head on wall*
1 reply 0 retweets 1 like -
Replying to @Scott_Helme @arturjanc and
Is this something already known (is there already a bug for it)?
1 reply 0 retweets 1 like -
We haven't run into it before (likely because our policies have 'strict-dynamic' and https: as a fallback, which blesses all external scripts in Edge). Definitely worth filing a bug, also paging
@patrickkettner1 reply 0 retweets 1 like -
Replying to @arturjanc @patricktoomey and
Can I use your demo page as a reference?
1 reply 0 retweets 0 likes
Sure thing, I will keep it around. Great find, BTW!
-
-
Replying to @arturjanc @patricktoomey and
Credit to Troy for the find, seems it's also already bugged: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/ …
1 reply 0 retweets 1 like - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
