Socket.IO被内容安全策略阻止 [英] Socket.IO blocked by Content Security Policy

问题描述

我正在尝试创建一个超级简单的网站，仅用于显示内容，并让另一个页面能够更改页面上的所述内容.(安全是0的关注点，请随时发布真正的粗略答案).

I am trying to create a super simple website just to show content and have another page be able to change said content on the page. (Security is of 0 concern so feel free to post really sketchy answers).

但是当我访问该站点(位于NGINX后面的数字海洋服务器上)时，出现以下错误:

But when I visit the site (hosted on a digital ocean server behind NGINX), I get the following error:

Refused to connect to wss://subdomain.domain.online/socket.io/?EIO=4&transport=websocket&sid=SIDHERE because it appears in neither the connect-src directive nor the default-src directive of the Content Security Policy.

我到处都看到了这个政策:

I have looked everywhere and got to this policy of:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' wss: ws: *; connect-src 'self' ws: wss: *;">

但是仍然出现错误，我想知道是否有人会知道修复程序.

But still get the error, I was wondering if anyone would know a fix.

山姆，干杯

推荐答案

看起来您已经发布了2个CSP -一个通过< meta http-equiv ='Content-Security-Policy'> 标记，另一个通过CSP HTTP标头.在这种情况下，最严格的政策适用.

Look like you have publish 2 CSPs - one via <meta http-equiv='Content-Security-Policy'> tag and the second one via CSP HTTP header. In this case the most stringent policy apply.

第二个CSP由Helmet中间件在服务器上发布，头盔版本4的CSP带有默认规则.

The second CSP is published on server by Helmet middleware, Helmet version 4 have CSP swiched on with default rules.

如果要使用标记，请在 helmet.contentSecurityPolicy(options)中禁用CSP:

Disable CSP in helmet.contentSecurityPolicy(options) if you wish to use tag:

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
);

在头盔中

或配置 CSP标头，并且不使用元标记.

or configure CSP header in Helmet and do not use meta tag.

这篇关于Socket.IO被内容安全策略阻止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！