In our project, CSP is configured and transferred to Response Headers. In addition, we have a simple Service Worker that checks if it is possible to go to another page and if not redirect to the cached standalone html page. This is the code for the Service Worker part for the fetch event.
self.addEventListener('fetch', function (event) {
event.respondWith(
caches
.match(event.request).then(function (response) {
return response || fetch(event.request);
})
.catch(getFallbackResponse(event))
);
});
But when the CSP configuration is changed and Service Worker was installed before this change in the CSP configuration, we get an Refused to load the script '[url]' because it violates the following Content Security Policy directive: ...error. And as soon as we update or unregister the Service Worker, the new CSP configuration will be applied.
Is behavior expected?
source
share