Error when content security policy does not allow data: in connect-src

[tdever]

If a content security policy is specified, eventsource.js will report an error unless data schemes are allowed in connect-src. This appears to be an issue related to a fix for #123. To reproduce this, set the content security policy to this: default-src 'self'; connect-src 'self'

Here is the reported error from Chrome:

Refused to connect to 'data:,a' because it violates the following Content Security Policy directive: "connect-src 'self'"

I've traced the issue to this bit of code in eventsource.js:

  // see #118
  // We don't care about the content of the data URI, but Edge 15 will crash if the content is empty (#123), so make it one byte.
  if (fetch != undefined && fetch("data:,a").finally == undefined) {
    var originalFetch = fetch;
    fetch = function (url, options) {
      return Promise.resolve(originalFetch(url, options));
    };
  }

The fetch("data:,a") causes the CSP violation because the data scheme is not allowed. Updating the connect-src rule to connect-src 'self' data: will resolve the problem, but this is not an ideal solution. Is there some other way to resolve #118 or #123 that does not require the CSP to accommodate this?

[Yaffle]

oh, this is not good, thanks for the report I have no solution for this right now

[Yaffle]

https://github.com/Yaffle/EventSource/blob/master/src/eventsource.js#L49

-  // see #118
+ // see #118, #123, #125
-  // We don't care about the content of the data URI, but Edge 15 will crash if the content is empty (#123), so make it one byte.
-  if (fetch != undefined && fetch("data:,a").finally == undefined) {
+ if (true) {
     var originalFetch = fetch;
     fetch = function (url, options) {
       return Promise.resolve(originalFetch(url, options));
     };
   }

[mfaustusi]

Looking for an official release with this change since adding data: to our CSP is not an option.

[Yaffle]

@mfaustusi , it is here