0

I'm implementing a CSP-policy for an application.

If I try to retrieve an url with Content-Type: application/json; I get an empty "" responseText.

There is no error in console, as is is case with CSP violations.

Example ajax-call that produces an empty result, when CSP is in use:

var xhttp = new XMLHttpRequest();
xhttp.open("GET", "/something/555.json", true);
xhttp.send();
xhttp.onreadystatechange = function() {
  if (this.readyState == 4 && this.status == 200) {
    console.log(this.responseText)
  }
}

It doesn't matter, if that url produces a json-object, or text. Neither does it depend on the contents of Content-Security-Policy header. I have tried allowing all possible directives, and just simply an empty header. Same issue with chrome, firefox and safari.

The request DOES go through to the server. And if I try to get a nonexisting page, console shows the 404 properly. Urls without .json, e.g. .html, .jsonn, .foo, or no format, produce no issues, as they generate application/text mimetype.

I'm at my wits end. CSP-documentation does not mention anything relating to json or mimetypes specifically. What am I doing wrong?

dw_
  • 1,707
  • 1
  • 7
  • 13
Janne Hemilä
  • 11
  • 2

1 Answers1

1

Solved. Apparently sending the CSP-headers with the json-request broke things.

For anyone else running into this: CSP-headers should not be included in ajax-responses.

Janne Hemilä
  • 11
  • 2
  • See [Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?](https://stackoverflow.com/q/54203764/456456) for a more elaborate discussion on when to set the CSP headers or not. – R. Schreurs Dec 23 '19 at 16:19