Open dcramer opened 3 years ago
Aside the only other hypothetical we came up with is embedding the replayer on a different/subdomain (with a controlled cookie policy) and then setting the CSP header there. That's obviously a huge lift from an implementation POV so this (or a different) approach works.
A few other ideas (not mine) that have come up:
<meta>
tag for CSP - may or may not inherit parent policy so we'd have to test~ doesnt work
AFAIK this isn't resolved, but we're seeing an issue where the parent page's aggressive policy is preventing the iframe from loading assets. It looks like we might be able to use the
<iframe csp>
attribute to control this, but I've not yet tested out that solution (and I'm not sure browser support for it). If this does work, it'd be even better if we could make the policy reflect that of the embedded page, but I'm guessing we won't have access to read the current policy via JS.