You might wonder which CSP directive applies when an allowed script makes a dynamic import:
await import('other-script.js')
The answer is that dynamic imports are always allowed regardless of your Content-Security-Policy header. Neither script-src nor connect-src apply.
Should I worry about this?
It would require some strange code for user input to make it into an import() argument.
I wouldn't lose sleep over this.
Posted by Henning Koch to makandra dev (2026-03-18 14:59)