CSP false still uses CSP

Question

CSP false still uses CSP

Pomax opened this issue a year ago · comments

STR:

import express from "express";
import helmet from "helmet";
const app = express();

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
);

app.get(`/`, (req, res) => {
  res.status(200).json({ ok: true });
});

app.post(`/`, (req, res) => {
  res.status(200).json({ ok: true });
});

app.listen(8080, () => {
  console.log(`Server listening on http://localhost:8080`);
});

Load http://localhost:8080, response is the expect json.

Open dev tools, console, await fetch("http://localhost:8080", { method: "POST" }).

Console throws CSP errors.

Evan Hahn · Answer 1 · Sun Feb 19 2023 09:33:02 GMT+0800 (China Standard Time)

I can't reproduce this. What headers have you set on the page where you're running the fetch?

Pomax · Answer 2 · Sun Feb 19 2023 09:42:29 GMT+0800 (China Standard Time)

Forgot to mention this is on Firefox nightly, and it looks like it's an FF bug because Chrome and friends have no problems with the exact same setup. So I guess I'm filing a "can you please unbreak firefox" report over on bugzilla =P