I have a JavaScript code snippet embedded inline on a page that downloads and appends to body my main JavaScript code from a different CDN, cdnjs.com/xyz/main.js. So far this has worked fine for my customers. main.js is able to make AJAX calls and perform normally.
Is my assumption correct that clients must have allowed in their CSP policy the cdnjs.com domain? And this process is a required for a setup like mine?
If I change my main JavaScript to additionally download and run new JavaScript code from another domain, cdnjs2.com/abc/new.js, will this new JavaScript code run fine and be able to make AJAX calls?
Is my assumption correct that clients must have allowed in their CSP policy the cdnjs.com domain?
Well, since by default there is no CSP policy for a page, it would be truer to say they must not forbid that domain if they have a CSP.
If I change my main JavaScript to additionally download and run new JavaScript code from another domain…
When there is a CSP, every location that JS is sourced from must be allowed, even if the code that sources it is from an allowed location.