3 years ago

After enabling Content Security Policy headers for a pimcore instance the backend didn't work like it did before anymore. The problem here is that this Content Security Policy forbids the synchronous XMLHttpRequest within the browser. Pimcore itself, precisely ExtJS Ajax requests are sometimes still using synchronous requests in version 6 which causes those requests to fail with an exception. After removing that part and using the Content Security Policy like this, the backend worked again like it did before introducing CPS headers: New version: feature-policy: geolocation 'none';midi 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';fullscreen 'self';payment 'none'; permissions-policy: geolocation=(), midi=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=() You can also read this Github issue in the pimcore repository: https://github.com/pimcore/pimcore/issues/7955