Reputation: 4044
Loading of a resource blocked by Content Security Policy
I'm getting the error below in the console of my browser:
Content Security Policy: The page’s settings blocked the loading of a resource at
http://localhost:3000/favicon.ico(“default-src”).
I searched online and saw that this should be fixed with the snippet of code below:
<meta http-equiv="Content-Security-Policy" content="default-src *;
img-src * 'self' data: https: http:;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
style-src 'self' 'unsafe-inline' *">
I added this to my front-end app.component.html file (the parent template for all my front-end views), but this didn't work as expected.
I've also tried multiple permutations thereupon to no avail.
My front-end is at localhost:4200 and back-end at localhost:3000.
Below is the snippet of code from my back-end server (middleware):
app.use(cors());
app.options('*',cors());
var allowCrossDomain = function(req,res,next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, PUT, POST, DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
next();
}
app.use(allowCrossDomain);
I also have now added the following middleware to my backend (Express) server:
const csp = require('express-csp-header');
app.use(csp({
policies: {
'default-src': [csp.SELF, 'http://localhost:3000/', 'http://localhost:4200/' ],
'script-src': [csp.SELF, csp.INLINE],
'style-src': [csp.SELF],
'img-src': ['data:', 'favico.ico'],
'worker-src': [csp.NONE],
'block-all-mixed-content': true
}
}));
. . . but still hasn't fixed the problem.
Here is a screenshot:
What am I doing wrong and how can I fix it?
Upvotes: 35
Views: 141519
Answers (4)
Reputation: 59
nyedidikeke's answer is awesome !
With express-csp-header middleware, set the policies to pass CSP.
https://www.npmjs.com/package/express-csp-header
Here is my nodejs code :
const { expressCspHeader, INLINE, NONE, SELF } = require('express-csp-header');
const app = express();
// other app.use() options ...
app.use(expressCspHeader({
policies: {
'default-src': [expressCspHeader.NONE],
'img-src': [expressCspHeader.SELF],
}
}));
enjoy !!
Upvotes: 1
Reputation: 430
- /favicon.ico is automatically loaded by the web browser in the absence of other URLs for the favicon. This is specified by: https://html.spec.whatwg.org/multipage/links.html#rel-icon
- You current Content-Security-Policy was blocking it. You need to use something like:
Content-Security-Policy: img-src 'self'
Ideally web browser shouldn't even try /favicon.ico when it would be blocked. After all, loading /favicon.ico is triggered by the web browser, not the developer. I patched chrome (version >= 88) to remove the error:
https://chromium-review.googlesource.com/c/chromium/src/+/2438388
Upvotes: 3
Reputation: 7618
Content Security Policy (CSP) is a mechanism to help prevent Cross-Site Scripting (XSS) and is best handled at server side; please note it can be handled at client side as well, making use of the <meta> tag element of your HTML.
When configured and enabled, a web server will return the appropriate Content-Security-Policy in the HTTP response header.
You may want to read more about CSP on the on the HTML5Rocks website and Mozilla developer page here and here.
Google CSP Evaluator is a handy and free online tool to help test CSP for your website or web application.
In your instance, you may need to add the line below without enforcing HTTPS as protocol using the https: directive;
Because your website or application (as shared) is not available over HTTPS.
res.header('Content-Security-Policy', "img-src 'self'");
Starting with default-src directive set to none is a great way to start deploying your CSP settings.
In case you opt to use the Content-Security-Policy middleware for Express , you may get started as illustrated in the snippet below;
const csp = require('express-csp-header');
app.use(csp({
policies: {
'default-src': [csp.NONE],
'img-src': [csp.SELF],
}
}));
// HTTP response header will be defined as:
// "Content-Security-Policy: default-src 'none'; img-src 'self';"
Remember CSP are case or application specific and based on your project requirements.
As such, you need to fine tune in order to meet your need.
Upvotes: 27
Reputation: 15915
If you have a strict CSP header for e.g. images and other static files like
Content-Security-Policy: default-src 'none';
then Firefox will assume that it also means that the implicit reference to /favicon.ico used for tab icon is also banned. Chrome has internal special case where the implicit /favicon.ico is always allowed no matter the CSP header. To grant Firefox access to implicit /favicon.ico you have to add img-src 'self' at minimum.
Content-Security-Policy: default-src 'none'; img-src 'self';
Also note that the syntax of Content-Security-Policy policy only supports allowing specific origins and not URLs. The original question had img-src ... favicon.ico where it should have just said img-src ... 'self'. (CSP version 2 has limited support for prefix path within an origin but it has pretty complex edge cases with redirects so you should avoid using that feature if possible at all.)
Upvotes: 1
Related Questions
- Content Security Policy - Determine source of blocked resource
- Content Security Policy: The page's settings blocked the loading of a resource
- Content Security Policy: resource blocked but CSP is configured to allow it
- Refused to load scripts because it violates the following Content Security Policy directive
- CSP Configuration not allowing for proper loading of assets
- Content Security Policy preventing images from loading
- CSP and inline scripts getting blocked
- Content Security Policy: The page’s settings blocked the loading of a resource at blob
- Refused to connect to URL because of violation of Content Security Policy
- Refused to load because it violates Content Security Policy