I'm building a SPA using oidc-client to sign in to an IDP built using Identity Server 4.
The login redirections seems to work fine but on Firefox I'm getting the following CSP issues
Content Security Policy: Ignoring "'unsafe-inline'" within script-src or style-src: nonce-source or hash-source specified (unknown)
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='"). Source: !function(t){function __webpack_require_.... checksession:1
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='"). Source: window.devToolsOptions = Object.assign(w.... checksession:1
Load denied by X-Frame-Options: http://localhost:5007/home/error?errorId=a74accc61bb821ee1f42f7013a306e90 does not permit cross-origin framing. (unknown)
I'm not setting any CSP meta tags on my SPA and I'm wondering if I have to. Digging a little bit it seems that oidc-client is adding an iframe into my application which points to the checksession page in Identity Server (which does include the CSP header "default-src 'none'; script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='")
Can someone help me solving this or lead me into the right direction? My knowledge about CSP is very basic.
