According to the CSP spec
https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header
If the user agent monitors or enforces a policy that contains a directive that contains a source list, then the user agent MUST set a CSP Request Header when requesting cross-origin resources, as described in §3.4 The CSP HTTP Request Header.
But "CSP" is not a simple header
https://fetch.spec.whatwg.org/#simple-header
A simple header is a header whose name is either one of Accept, Accept-Language, and Content-Language, or whose name is Content-Type and value, once parsed, has a MIME type (ignoring parameters) that is one of application/x-www-form-urlencoded, multipart/form-data, and text/plain.
So when the user agent requests a cross-origin resource which CSP is set, it must send a CORS preflight fetch.
This means when we use CSP, we can't use CDN which doesn't support CORS preflight.
Is this my understanding correct?
According to the CSP spec
https://w3c.github.io/webappsec/specs/content-security-policy/#csp-request-header
But "CSP" is not a simple header
https://fetch.spec.whatwg.org/#simple-header
So when the user agent requests a cross-origin resource which CSP is set, it must send a CORS preflight fetch.
This means when we use CSP, we can't use CDN which doesn't support CORS preflight.
Is this my understanding correct?