CSP blocks RefreshToken related script, blob and worker?

emregency · June 5, 2020, 11:47am

I am not really sure but since I enabled the refreshTokens on auth0-spa-js, my CSP is blocking an inline-script, a worker for a blob: and a script with a hash sha256-CjbsvJcxUx3M+4F2KcGh0DoVaOk/TU125pa7AZxyM90= on route /callback.

I am suspecting it to be related to an iframe that may be required by the new refreshTokens but I cannot be sure.

Any insight would be highly appreciated.

emregency · June 9, 2020, 11:52am

If you use CSP with refreshTokens,

I can confirm that enabling refreshTokens in auth0-spa-js requires blob: on worker-src and on child-src (as Safari doesn’t support worker-src)

konrad.sopala · June 9, 2020, 11:59am

Thanks for sharing that with the rest of community!

system · June 24, 2020, 12:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Prevent SPA JS SDK from doing iframe-based silent authentication Knowledge Articles sdk , spa , js , refresh_token , access , offline , fallback , silent-authentication	1	2380	September 21, 2022
Using Auth0 js sdk in Browser Worker Help	0	1742	March 7, 2022
New auth0 spa js Help	4	3164	October 4, 2019
Token refresh does not work in `auth0-spa-js` Feedback sdk , javascript	3	3576	July 19, 2022
Secure cached token idea Help auth0-spa-js	2	3095	June 27, 2022

CSP blocks RefreshToken related script, blob and worker?

Related topics