Style and script directives not applied
andreasvirkus opened this issue · comments
Hello. I read from Gitter that it'd be better if I opened up an issue on Github, so here I go.
The way I've set up helmet/csp currently:
import csp from 'helmet-csp';
app.use(csp({
directives: {
defaultSrc: [`'self'`],
scriptSrc: [`'self'`, `'unsafe-inline'`, `*.google-analytics.com/`],
styleSrc: [`'self'`, `'unsafe-inline'`],
frameSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
childSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
objectSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
imgSrc: [`*.amazonaws.com`, `data:`, `'self'`],
connectSrc: [`'self'`],
upgradeInsecureRequests: true
}
}));
And then the errors I get with it lead me to believe most of these directives haven't registered properly:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-S87yxoMcr9T7U+ZcUvvvkw7U6Ja2xsYbceNLyApPIr0='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the image 'http://localhost:8080/favicon.ico' because it violates the following Content Security Policy directive: "img-src data: amazonaws.com".
Refused to load the script 'https://localhost:8080/dist/build.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
That is odd. Your code looks correct at a glance.
Could you open the Network tab in your web inspector and see what the full header value is?
(I may be slow to respond because I'm taking a day off today—apologies.)
It seemed that the frameSrc
directive was buggy and caused other stuff to break. Or at least that's what I concluded, since removing it automagically fixed everything else for me. Sorry for bothering and thanks for helmet
! 💯
👍 Glad it worked out! Feel free to open a new issue if anything else comes up.