Observed behaviour:
The back button does not work when Content-Security-Policy (CSP) is deployed. The back button link is blocked, since inline javascript and javascript: links are considered unsafe).
Expected behaviour:
Instead of a javasript: link, an external JS file should be served. This will be allowed by most CSPs (src: 'self' or src-script: 'self').
Observed behaviour:
The back button does not work when Content-Security-Policy (CSP) is deployed. The back button link is blocked, since inline javascript and
javascript:links are considered unsafe).Expected behaviour:
Instead of a
javasript:link, an external JS file should be served. This will be allowed by most CSPs (src: 'self'orsrc-script: 'self').