Is there anything specific you need to add to content security policy for Supertokens? I'm using the JS frontend and Node SDKs. It seems that with a CSP,

mergeIntoAccessTokenPayload

no longer works. But without, it begins working again.

hey @n000dles

It doesn't look like there's a browser error oddly enough — for context, I have implemented WebAuthn 2FA in my authentication, so when the WebAuthn credential is verified, it merges

isVerified

into the access token payload, this works without my CSP, but as soon as my CSP is added again, there's no errors produced, but mergeIntoAccessTokenPayload just seems to no longer work. 🤔

hmm. Can you show me the API request and response headers for this with CSP enabled and without CSP enabled?

The API request for where the

isVerified

value is merged?

yes

Sure thing

and can you send me this when csp is disabled?

Oops, didn't see the last bit — attached now

Right. Thanks. So the response headers seem fine in both the cases. I think the csp rule prevents the JS from consuming the header. Does the subsequent request have the new access token or the older one?

Same access token per subsequent request it seems

I see. I don’t know anything off the top of my head right now, but you can open an issue about this and we shall have a look soon