content-security-policy | featured Content Security Policy as Rack | Security library

The reason Electron, or any other Web browser that implements Content Security Policy, for that matter, would correctly refuse to load a script from an arbitrary origin (URL), or even an "inline" script (e.g. script text inside a script element), is because your security policy is explicitly specified to deny such attempts, with that meta element you said you added:

1. Open IIS
2. Select the Web Site
3. Open Configuration Editor
4. Select system.webServer and expand it, then locate serverRuntime
5. Change uploadReadAheadSize value to 104857600

To allow communication between containers you need to setup a shared networks, e.g. in .yaml (this can be done as well as on ci, report in .yaml only for sake of code):

I will just leave this here:

I have not tried to reproduce, but from reading this it would make sense for Firefox to start blocking as you sandboxed the document, meaning it has an opaque origin and therefore the image will appear cross-origin.

As for Chrome, could sandboxing have been in effect there too somehow?

It's important to note that the Webclient class uses the RETR command to download an FTP resource. For an HTTP resource, the GET method is used. That means if you provide a URL that doesn't contains the correct parameters to a downloadable file, you gonna end up with some exceptions that are not handled because Webclient was replaced with System.Net.Http.HttpClient, that I recommend you use instead.

Below you can see a exemple of how the Webclient works, on your case you are getting "useless error" because you are on a async method. I would suggest to use the normal method like below to debug and get the correct exception.

Delivering CSP via HTTP header is a preferred way.

Meta tag has the same functionality but for technical reasons it does not support some directives: frame-ancestors, report-uri, report-to and sandbox. Also the Content-Security-Policy-Report-Only is not supported in meta tag.

In SPA (Single Page Application), a meta tag is traditionally used for CSP delivery, because a lot of hostings do now allow to manage of HTTP header.

When SSR (Server Side Rendering), an HTTP header is used more often.

You can use any technically convenient CSP delivery method (keeping in mind the limitations of the meta tag), but do not use both at the same time. Both policies will be executed one after the other, so in case of differences, a stricter one will apply actually.

Note that:

• CSP meta tag should be placed in , otherwise it will not work.
• Changing the meta tag by javascript will result in both the old and the new policies being in effect.
• in cases of CSP for non-HTML files, the meta tag can not be used technically

This is quite easy. Grab a copy of delimitedSplit8k. It returns the item and it's ordinal position in the string. And it's fast.

The first error is related to the $(window).load(populateFavorites()); in your script.js.

You are using version 3.5.1 of jQuery, and .load() was removed in version 3.0.

You can replace it with $(window).on("load", populateFavorites); and you will be fine.

The last two errors look like they are related to using an Adblocker (try disabling it, refresh the page, and check if the errors persist 😁).