We've found that frameworks like https://shoelace.style/ effectively do fetch('data:...') to load internal resources. Since we already allow images and similar resources to be loaded from blob: or data: URLs it seems safe to allow it for fetch() and XMLHTTPRequest. The script-src policy will prevent data loaded this way from being evaluated as code.
We've found that frameworks like https://shoelace.style/ effectively do
fetch('data:...')
to load internal resources. Since we already allow images and similar resources to be loaded from blob: or data: URLs it seems safe to allow it forfetch()
andXMLHTTPRequest
. Thescript-src
policy will prevent data loaded this way from being evaluated as code.