Content Security Policy related errors in GDK

Summary

This issue is to list down issues / errors related to CSP wrt GDK

Issues

  1. worker-src

    worker-src directive is missing blob: and data: attributes.

    PoC Chrome image
    PoC Safariimage

    If this directive is absent, the user agent will first look for the child-src directive, then the script-src directive, then finally for the default-src directive, when governing worker execution.

  2. child-src

    child-src directive is missing self attribute

    Poc Safariimage

    worker-src is not supported in Safari yet.

  3. nonce

    nonce attribute is probably missing while preloading monaco editor, probably worth looking into preload_link_tag helper. Reproducible in Web IDE.

    PoC localimage
    PoC 13.12 review app image
Edited by Dheeraj Joshi