when i add a layer to map, i found the JSONP request lost its referer header,this may cause some problems.
the referer header is useful in our project.
and i have debugged the lastest version(3.31) like this:
so i have some test:
<html>
<body>
</body>
<script>
var h =
'\x3c!DOCTYPE html\x3e ' +
'\x3chtml\x3e ' +
' \x3cmeta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src * \'unsafe-inline\'"\x3e ' +
'\x3chead\x3e ' +
' \x3cscript\x3e ' +
' var url2 = \'https://sampleserver6.arcgisonline.com/arcgis/rest/services/SampleWorldCities/MapServer\'; ' +
' var f = document.createElement("script"); ' +
' f.type = "text/javascript"; ' +
' f.src=url2; ' +
' f.async = !0; ' +
' f.charset = "utf-8"; ' +
' document.getElementsByTagName("head")[0].appendChild(f); ' +
' \x3c/script\x3e ' +
'\x3c/head\x3e ' +
'\x3cbody\x3e ' +
'\x3c/body\x3e ' +
'\x3c/html\x3e'
var a = document.createElement("iframe");
a.name = "esri_core_jsonp_iframe";
a.style.display = "none";
// referer has lost in request header if add this line
a.setAttribute("sandbox", "allow-scripts");
a.srcdoc = h
document.body.appendChild(a);
var a2 = document.createElement("iframe");
a2.name = "esri_core_jsonp_iframe2";
a2.style.display = "none";
// i think this request header is nomal
// a2.setAttribute("sandbox", "allow-scripts");
a2.srcdoc = h
document.body.appendChild(a2);
</script>
</html>
this function can run normal if don't add the "sandbox" attribute ,so why do you add the "sandbox" attribute? please let me kown,thank you!