mirror/vue-cli
1
0
Fork 0
mirror of https://github.com/vuejs/vue-cli.git synced 2026-03-09 17:09:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

docs: add a note about CSP for modern mode [ci skip]

Browse Source
This commit is contained in:
Evan You
2018-07-31 10:14:52 -04:00
parent 26271d520c
commit 87f6eda2b9
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/guide/browser-compatibility.md
View File

@@ -64,6 +64,12 @@ For a Hello World app, the modern bundle is already 16% smaller. In production,
::: tip
`<script type="module">` is loaded [with CORS always enabled](https://jakearchibald.com/2017/es-modules-in-browsers/#always-cors). This means your server must return valid CORS headers such as `Access-Control-Allow-Origin: *`. If you want to fetch the scripts with credentials, use the [corsUseCredentials](../config/#corsusecredentials) option.
Also, modern mode uses an inline script to avoid Safari 10 loading both bundles, so if you are using a strict CSP, you will need to explicitly allow the inline script with:
```
Content-Security-Policy: script-src 'self' 'sha256-4RS22DYeB7U14dra4KcQYxmwt5HkOInieXK1NUMBmQI='
```
:::
[autoprefixer]: https://github.com/postcss/autoprefixer