如何正确设置helmet.js来解决CSP问题? [英] How do I set up helmet.js correctly to resolve CSP issue?
本文介绍了如何正确设置helmet.js来解决CSP问题?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
当我启动Express应用程序时,浏览器会给我这个错误:
When I start my express app the browser gives me this error:
Refused to load the script 'http://localhost:1337/main.js' because it violates
the following Content Security Policy directive: "script-src unsafe-eval".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
在我的index.js文件中,我像这样设置了头盔:
In my index.js file I have set helmet up like so:
// Set Content Security Policies
const scriptSources = ["'self'", "'unsafe-inline'", "'unsafe-eval'"];
const styleSources = ["'self'", "'unsafe-inline'"];
const connectSources = ["'self'"];
app.use(
helmet.contentSecurityPolicy({
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
scriptSrcElem: scriptSources,
styleSrc: styleSources,
connectSrc: connectSources,
reportUri: '/report-violation',
reportOnly: false,
safari5: false
})
);
app.use(helmet({
contentSecurityPolicy: false,
}));
并且我的index.html像这样在.js文件中加载:
and my index.html is loading in the .js file like this:
<script type="module" src="./main.js"></script>
这是我的GitHub存储库: https://github.com/jgonzales394/fsn.pw
Here is my GitHub Repo: https://github.com/jgonzales394/fsn.pw
推荐答案
此处是头盔维护者.发生这种情况是因为您的指令需要嵌套在 directives
属性下.
Helmet maintainer here. This is happening because your directives need to be nested under a directives
property.
例如:
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
// ...
},
})
)
这篇关于如何正确设置helmet.js来解决CSP问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文