Combating "Synchronous XMLHttpRequest on the main thread is deprecated" followed by XMLHttpRequest exception in Pimcore
Tom Hatzer • January 21, 2021
pimcore cspAfter enabling Content Security Policy headers for a pimcore instance the backend didn't work like it did before anymore.
These were the settings that I added initially that caused the backend to malfunction with a "" warning followed by a XMLHttpRequest exception in the browsers console:
Old version:
feature-policy: geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';fullscreen 'self';payment 'none';
permissions-policy: geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()
The problem here is that this Content Security Policy forbids the synchronous XMLHttpRequest within the browser. Pimcore itself, precisely ExtJS Ajax requests are sometimes still using synchronous requests in version 6 which causes those requests to fail with an exception.
After removing that part and using the Content Security Policy like this, the backend worked again like it did before introducing CPS headers:
New version:
feature-policy: geolocation 'none';midi 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';fullscreen 'self';payment 'none';
permissions-policy: geolocation=(), midi=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()
You can also read this Github issue in the pimcore repository: DOMException in Google Chrome because of Synchronous XMLHttpRequest on the main thread is deprecated #7955