@Dist thanks for your reply but facebook pixel can’t be fixed in this way. It fetches script from https://connect.facebook.net/en_US/fbevents.js and we can’t add domain to CSP script-src. It would be great if twitch added that domain to CSP just like https://www.google-analytics.com
Well in that case such an Extension should never have been able to pass review, as all JS content MUST be loaded from Twitch’s CDN with the exception of Google Analytics and the Extension helper. That’s not a new thing with the recent CSP changes, that’s how it has always intended to have been.
If Facebook offers no option to store those js libraries within your Extension, you should either use a different service that does comply with the guidelines, or I suggest creating a UserVoice to request that feature as loading external JS is a separate thing from this recent CSP change. Developers: Top (624 ideas) – Twitch UserVoice
1 Like
I’ve added the content security policy on my response headers via this post, and I also had to add ‘unsafe-inline’ to a few of them. I got it to work to the point of getting an access token for the requesting user, and storing it in my database.
However, I have a step in the panel.js where the user is to access the database and retrieve their access token they just generated, and run some more get/post requests with axios calls, but the CSP response headers are not being added to those axios calls (responses). So, I get denied by twitch.
Is there somewhere else I have to add the CSP response headers, beside the express backend?
CSP goes in the dashboard to control what the front end code/HTML/JS/CSS can access.
CSP headers do not go in the EBS/express backend. for an extension use case
An example:
Thank you for the response Barry! I will try this. Looking in the Development console now for these settings. Where exactly can I find this?
Capabilities tab
Thank you for the help!