[英]CSP error in a node.js application
I've a node.js application with a home page in angularjs. 我在nodejs中有一个带有主页的node.js应用程序。 This page contains a 'search' box and has corresponding search.js script which runs and makes a server side query call.
该页面包含一个“搜索”框,并具有运行并进行服务器端查询调用的相应search.js脚本。 For security I added 'csp' in my node.js application with following csp configuration.
为了安全起见,我使用以下csp配置在node.js应用程序中添加了“ csp”。
const csp = require('helmet-csp');
app.use(helmet());
app.use(csp({
directives: {
defaultSrc: ["'self'", 'https://my.domain.com'],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'"],
imgSrc: ["'self'"],
connectSrc: ["'self'"],
fontSrc: ["'self'", 'https://fonts.googleapis.com'],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
setAllHeaders: false, // set to true if you want to set all headers
safari5: false // set to true if you want to force buggy CSP in Safari 5
}));
But with this change, I started getting following errors in chrome browser. 但是有了这一更改,我开始在chrome浏览器中遇到以下错误。
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:400,300,700,800|Roboto+Slab:400,100,300,700' because it violates the following Content Security Policy directive: "style-src 'self'".
prefixfree.min.js:17 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.
I don't understand what these error means. 我不明白这些错误是什么意思。 How do I fix these errors.
如何解决这些错误。 I need to use fonts from google as part of my style.css file which has following entry,
我需要使用来自Google的字体作为我的style.css文件的一部分,该文件具有以下条目,
@import url(https://fonts.googleapis.com/css?family=Open+Sans:400,300,700,800|Roboto+Slab:400,100,300,700);
Is this right way to set csp? 这是设置csp的正确方法吗? Any help is appreciated.
任何帮助表示赞赏。
Somehow the address to googleapis was flagged due to csp policy. 由于csp政策,以某种方式标记了googleapis的地址。 I solved this problem by,
我解决了这个问题
downloaded required fonts from Google webfonts helper site 从Google webfonts帮助网站下载了所需的字体
removed @import from CSS 从CSS删除了@import
removed googleapis from fontSrc and kept only "'self'" instead. 从fontSrc中删除了googleapi,并仅保留了“'self'”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.