calebjclark
commented
2 years ago nonce?
Closed blakebyrnes closed 2 years ago
calebjclark
commented
2 years ago nonce?
blakebyrnes
commented
2 years ago nonce?
anonce
blakebyrnes
commented
2 years ago nonce?
It's a Content Security Policy http header that tells Chrome to only allow script-src where a specific nonce is on it.
When you access ContentWindow or Parent from an isolated Chrome context, it seems to create additional isolated contexts. This creates a situation where in TimeTravel, we're ending up with many HeroWorlds, and then we don't know which one has pre-installed the domReplayer script and other things. This issue does not seem to exist when things are run in the default context, however, if you "disable" javascript, it also disables javascript in the main context. I was able to workaround this by re-enabling javascript in the default context, but adding a ContentSecurityPolicy that says only scripts with the nonce "hero-timetravel" should be allowed - ie, no scripts. The main downside is this creates logging about blocked content security policies. However... it fixes the breaking history. I'm not sure how to find a better solution. I think we should likely log something in the Chromium project about the broken contexts, but this is the best option we've got for now.