stackoom
  简体   繁体   中英

Content-Security-Policy blocks Vue.js

 原文  2021-01-07 21:47:55       javascript/ node.js/ vue.js/ content-security-policy

Question

I am serving a HTML page in my node.js server with express.public() function.

and i added this into my html page:

<script src="https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js"></script>

And Chrome gaves me a Content-Security-Policy to me.

I used this middlewares in my Node index.js

app.use(morgan('tiny'));
app.use(helmet());
app.use(cors());
app.use(express.json());
app.use(express.static("./public"));

My application headers:

Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

How can i add this script without any SecurityPolicy

SOLVED

I remove "Helmet" from my project. Helmet is blocking the all cdn and scripts other then absolute domain.

2 answers

solution1
 0 ACCPTED  2021-01-08 01:12:47

Content Security Policy is set in the html file being served or by the software serving the html (eg Nginx, Apache).

At the moment you have: default-src 'self', this means you are telling the browser that it is only able to make requests to its own domain.

You need to add https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js to this list of domains it can access.

That would be something like:

Content-Security-Policy: default-src 'self';script-src 'self' https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js; base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

So default-src: self sets the default to restrict requests to only your own domain.

script-src 'self' https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js overrides this and says specifically for scripts restricts request to only your domain and that url.

This has lots of details and examples: https://content-security-policy.com

solution2
 0  2021-01-08 08:05:38

In addition to what silent-tiger said, I think you should first find out which middleware is responsible for adding this content policy. Do this by disabling all middleware (except express static) and then add the other middlewares one by one until you see the Content Secutity Policy headers again.

If you found which middleware is responsible, then you know which middleware you should configure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Content-security-policy with ACE.js How to set Content Security Policy Headers in a Vue.js app Content-Security-Policy error? Content-Security-Policy errors Content-Security-Policy and JavaScript Problem with Content-Security-Policy, Next JS and AMP Content-Security-Policy and external Javascript file Chrome Extensions Content-Security-Policy Header CSP (content-security-policy) not correct Where can Content-Security-Policy be configured?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM