Reputation: 99
How do I set up helmet.js correctly to resolve CSP issue?
When I start my express app the browser gives me this error:
Refused to load the script 'http://localhost:1337/main.js' because it violates
the following Content Security Policy directive: "script-src unsafe-eval".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
In my index.js file I have set helmet up like so:
// Set Content Security Policies
const scriptSources = ["'self'", "'unsafe-inline'", "'unsafe-eval'"];
const styleSources = ["'self'", "'unsafe-inline'"];
const connectSources = ["'self'"];
app.use(
helmet.contentSecurityPolicy({
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
scriptSrcElem: scriptSources,
styleSrc: styleSources,
connectSrc: connectSources,
reportUri: '/report-violation',
reportOnly: false,
safari5: false
})
);
app.use(helmet({
contentSecurityPolicy: false,
}));
and my index.html is loading in the .js file like this:
<script type="module" src="./main.js"></script>
Here is my GitHub Repo: https://github.com/jgonzales394/fsn.pw
Upvotes: 6
Views: 11325
Answers (3)
Reputation: 1
Ok, so I had a similar issue. This was resolved when I nest the directive but not the report to as such
app.use(helmet({
contentSecurityPolicy: {
directives: {
"script-src":['self',"http://localhost:3000/"],
},
reportOnly:true
},
}))
Upvotes: 0
Reputation: 99
Ok so I managed to get it working correctly. Helmet is allowing me to set my CSP this way:
app.use(
helmet.contentSecurityPolicy({
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
scriptSrcElem: scriptSources,
styleSrc: styleSources,
connectSrc: connectSources,
reportUri: '/report-violation',
reportOnly: false,
safari5: false
})
);
So my main.js file is a vue app and I had it written like this before:
import * as Vue from './src/vue.esm-browser.js';
const App = Vue.createApp({
data() {
return {
slug,
url
}
},
methods: {
createUrl() {
console.log(this.slug, this.url);
}
}
}).mount('#app');
I rewrote the code like this:
import { createApp, ref } from './src/vue.esm-browser.js';
const slug = ref('');
const url = ref('');
createApp({
setup() {
const createUrl = () => {
console.log(slug.value, url.value);
};
return {
slug,
url,
createUrl
};
}
}).mount('#app');
and in my html file is was able to call createUrl without invoking it.
Upvotes: 1
Reputation: 12737
Helmet maintainer here. This is happening because your directives need to be nested under a directives property.
For example:
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
// ...
},
})
)
Upvotes: 3
Related Questions
- Helmet and contentSecurityPolicy and using nonce AND adding it but still getting error
- how to implement content security policy NONCE in html script tags with node and helmet
- Express js : Content security header is not reflecting
- Ressources not loaded after setting CSP and CORP headers using Helmet
- React app served with express and helmet cannot make API requests
- Content Security Policy: Script Refusing to Load
- Helmet Content Security Policy Global Path not working
- nodeJS https - unable to set Content-Security-Policy
- Implement helmet-csp on individual routes
- Helmet CSP Not Working in Safari Browsers