Why is my resource getting blocked even though I allowed it specifically in the CSP declaration?

Question

Hi all hoping you can help but I don't know if you can. Having checked other questions about the CSP blocking, they all recommend to specifically allow your resource in the headers (or if you're using helmet, in a CSP declaration object) and now that I've now done that I still relentlessly get the same issue.

Here is my declaration via Helmet

app.use(helmet());
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: [
        "'self'",
        'https://*.mapbox.com',
        'https://*.stripe.com',
        'blob',
      ],
      baseUri: ["'self'"],
      fontSrc: ["'self'", 'https:', 'data:'],
      scriptSrc: ["'self'", 'https://*.cloudflare.com'],
      imgSrc: ["'self'", 'https://www.gstatic.com'],
      scriptSrc: [
        "'self'",
        'https://*.stripe.com',
        'https://cdnjs.cloudflare.com',
        'https://api.mapbox.com',
        'https://js.stripe.com',
        'blob',
      ],
      frameSrc: ["'self'", 'https://*.stripe.com'],
      objectSrc: ["'none'"],
      styleSrc: ["'self'", 'https:', "'unsafe-inline'"],
      upgradeInsecureRequests: [],
    },
  })
);

And then these are the errors:

web_worker.js:9 Refused to create a worker from 'blob:http://127.0.0.1:8000/a115d817-1a59-46c1-97e5-355513ade597' because it violates the following Content Security Policy directive: "script-src 'self' https://*.stripe.com https://cdnjs.cloudflare.com https://api.mapbox.com https://js.stripe.com blob". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback. 

Another one here:

Refused to load the image 'data:image/webp;base64,UklGRh4AAABXRUJQVlA4TBEAAAAvAQAAAAfQ//73v/+BiOh/AAA=' because it violates the following Content Security Policy directive: "img-src 'self' https://www.gstatic.com".

Answer 1

Console warnings show that:

• You miss a colon in blob: scheme.

• You need to specify data: in the img-src directive.