新形式的内容安全政策问题 [英] Content Security Policy issues with new form

问题描述

为我正在使用的新表单设置内容安全策略的最简单方法是什么?我有一个前端到后端的表单用于我的注册，但是此表单要复杂得多，并向我抛出以下错误.我知道这与webpack有关，我已经尝试将代码插入到publ; ic index.html文件中，该文件刚刚停止了页面的呈现.

What is the easiest way for me to set the content security policy for a new form I am using? I have a frontend to backend form working for my registration but this form is a lot more complicated and is throwing me the errors below. I am aware this is to do with webpack and I have tried inserting code into my publ;ic index.html file which just stopped the page from rendering.

这与后端中的CORS设置有什么关系吗?我有以下引用标头的代码，并且在获取与我有相同问题的其他形式的标题时，我收到了错误消息.

Would this have anything to do with my CORS settings in the backend? I have the below code which references headers and the I have been getting error messages about setting headings in other forms that I am having the same issues with.

app.use((req, res, next) => {
    res.header('Access-Control-Allow-Origin', '*');
    res.header(
        'Access-Control-Allow-headers',
        'Origin, X-Requested-With, Content-Type, Accept',
    );
    next();
});

推荐答案

所描述的错误与后端中的CORS设置无关.它们与CSP(Content-Security-Policy)标头相关，您似乎不会使用它.但是对于不存在的页面，节点JS会自己发布CSP标头.

The errors described have nothing to do with your CORS settings in the backend. They are related to CSP (Content-Security-Policy) header, which you, it would seem, do not use. But for nonexistent pages node JS is published CSP header on its own.

请注意状态码 404未找到.如果您不处理此类错误，则默认情况下，nodeJS使用自己的 finalhandler 执行这些错误.
该 finalhandler 的最新版本发布了CSP default-src'none'; 的所有细节都是

Pay attention to status code 404 Not Found. If you do not handle this kinds of errors, nodeJS uses own finalhandler to carry out of those by default.
Last versions of this finalhandler publish the CSP default-src 'none'; all the nitty-gritty is here.

好像您没有在服务器配置中提供到根/文件夹的路由，因此找不到/favicon.ico 和类似的网址-> finalhandler 发布 default-src'none'; ->您会在浏览器控制台中观察到违反CSP的情况(以及404未找到的消息).

Looks like you do not serve routes to root / folder in you server config, therefore /favicon.ico and similar urls are not found -> finalhandler publishes default-src 'none'; -> you observe CSP violation in the browser console (along with the 404 not found messages).

您必须在 server.js 中添加类似内容:

You have to add into server.js something like that:

app.use(express.static('client/public'));
app.get("/favicon.ico", (req, res) => {
  res.sendFile(path.resolve(__dirname, "/favicon.ico"));
});

以上将解决"/favicon.ico 未找到"的问题，对于其他不存在"的问题，提示您也需要添加路线.

The above will solve the issue with "/favicon.ico Not Found", for other "non existent" Urls you need to add routes too.

这篇关于新形式的内容安全政策问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！