GeekInTheNorth
commented
1 year ago The work around to this is to go straight to the CMS Admin interface on /episerver/CMS ... navigate to the security module and add connect-src and script-src-element to the CSP for 'self'
Should be noted that new environments with no sources configured will have these added as default sources on application start. But it is possible for someone to cause this directly.
Might be worth re-implementing or merging in minimum requirements to the CSP being used.
If the CSP does not include the connect-src for 'self' then the CSP reporting widget will report an error for trying to execute itself.
When the CSP is in reporting only mode this can Lead to an infinite loop of reporting it's own action. In action this has been observed as causing an infinite reporting that locks up the browser.
Add an additional check that prevents reporting the CSP reporting beyond the first error logged.
As this will increase the complexity of the reporting script, it should be moved into a JS file of it's own.