Giters

helmetjs / csp

The source for this module has moved to the Helmet repository.

Home Page:https://github.com/helmetjs/helmet/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Style and script directives not applied

andreasvirkus opened this issue · comments

commented

Hello. I read from Gitter that it'd be better if I opened up an issue on Github, so here I go.
The way I've set up helmet/csp currently:

import csp from 'helmet-csp';

app.use(csp({
  directives: {
    defaultSrc: [`'self'`],
    scriptSrc: [`'self'`, `'unsafe-inline'`, `*.google-analytics.com/`],
    styleSrc: [`'self'`, `'unsafe-inline'`],
    frameSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
    childSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
    objectSrc: [`'self'`, `*.youtube.com/`, `*.vimeo.com/`],
    imgSrc: [`*.amazonaws.com`, `data:`, `'self'`],
    connectSrc: [`'self'`],
    upgradeInsecureRequests: true
  }
}));

And then the errors I get with it lead me to believe most of these directives haven't registered properly:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-S87yxoMcr9T7U+ZcUvvvkw7U6Ja2xsYbceNLyApPIr0='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the image 'http://localhost:8080/favicon.ico' because it violates the following Content Security Policy directive: "img-src data: amazonaws.com".
Refused to load the script 'https://localhost:8080/dist/build.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

commented

That is odd. Your code looks correct at a glance.

Could you open the Network tab in your web inspector and see what the full header value is?

(I may be slow to respond because I'm taking a day off today—apologies.)

commented

It seemed that the frameSrc directive was buggy and caused other stuff to break. Or at least that's what I concluded, since removing it automagically fixed everything else for me. Sorry for bothering and thanks for helmet! 💯

commented

👍 Glad it worked out! Feel free to open a new issue if anything else comes up.