CORS errors with SVG and Internet Explorer

When working on my latest project nocloud.website I encountered a strange error in production:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

Internet Explorer 11

IE does not know about the connect-src directive. Sadly now IE ignores the complete policy.

fetch("https://httpbin.org/get")
// [object Promise]: {}
// [object Response]: {body: ReadableStream, bodyUsed: false, headers: Headers, ok: true, redirected: false...}

So this means that with the raise of new features IE users even loose the protection that they had when their browser was built.

Expected result eg. on Firefox:

fetch("https://httpbin.org/get")
// Promise { <state>: "rejected" }

// Content Security Policy: The page’s settings blocked the loading of a resource at https://httpbin.org/get (“default-src”).

links

social