CSP blocks RefreshToken related script, blob and worker?

I am not really sure but since I enabled the refreshTokens on auth0-spa-js, my CSP is blocking an inline-script, a worker for a blob: and a script with a hash sha256-CjbsvJcxUx3M+4F2KcGh0DoVaOk/TU125pa7AZxyM90= on route /callback.

I am suspecting it to be related to an iframe that may be required by the new refreshTokens but I cannot be sure.

Any insight would be highly appreciated.

If you use CSP with refreshTokens,

I can confirm that enabling refreshTokens in auth0-spa-js requires blob: on worker-src and on child-src (as Safari doesn’t support worker-src)

1 Like

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.