The description mentions full CSP support - but when enabled, it makes blob requests (disabled by company policies due to XSS risk).
Npm version page mentioned no blob/unsafe inline needed - out of date info?
It also does not pick up nonce from the scripts (even if i hardcoded a script tag in head with nonce value - blobs still send empty nonce)
The description mentions full CSP support - but when enabled, it makes blob requests (disabled by company policies due to XSS risk).
Npm version page mentioned no blob/unsafe inline needed - out of date info?
It also does not pick up nonce from the scripts (even if i hardcoded a script tag in head with nonce value - blobs still send empty nonce)