CSP false still uses CSP
Pomax opened this issue · comments
Pomax commented
STR:
import express from "express";
import helmet from "helmet";
const app = express();
app.use(
helmet({
contentSecurityPolicy: false,
})
);
app.get(`/`, (req, res) => {
res.status(200).json({ ok: true });
});
app.post(`/`, (req, res) => {
res.status(200).json({ ok: true });
});
app.listen(8080, () => {
console.log(`Server listening on http://localhost:8080`);
});
Load http://localhost:8080, response is the expect json.
Open dev tools, console, await fetch("http://localhost:8080", { method: "POST" })
.
Console throws CSP errors.
Evan Hahn commented
I can't reproduce this. What headers have you set on the page where you're running the fetch
?
Pomax commented
Forgot to mention this is on Firefox nightly, and it looks like it's an FF bug because Chrome and friends have no problems with the exact same setup. So I guess I'm filing a "can you please unbreak firefox" report over on bugzilla =P