5632

CSP error in a node.js application

<h3>Question</h3>

I've a node.js application with a home page in angularjs. This page contains a 'search' box and has corresponding search.js script which runs and makes a server side query call. For security I added 'csp' in my node.js application with following csp configuration.

const csp = require('helmet-csp'); app.use(helmet()); app.use(csp({ directives: { defaultSrc: ["'self'", 'https://my.domain.com'], scriptSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'"], imgSrc: ["'self'"], connectSrc: ["'self'"], fontSrc: ["'self'", 'https://fonts.googleapis.com'], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'none'"], }, setAllHeaders: false, // set to true if you want to set all headers safari5: false // set to true if you want to force buggy CSP in Safari 5 }));

But with this change, I started getting following errors in chrome browser.

Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Open+Sans:400,300,700,800|Roboto+Slab:400,100,300,700' because it violates the following Content Security Policy directive: "style-src 'self'". prefixfree.min.js:17 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

I don't understand what these error means. How do I fix these errors. I need to use fonts from google as part of my style.css file which has following entry,

@import url(https://fonts.googleapis.com/css?family=Open+Sans:400,300,700,800|Roboto+Slab:400,100,300,700);

Is this right way to set csp? Any help is appreciated.


<h3>Answer1:</h3>

Somehow the address to googleapis was flagged due to csp policy. I solved this problem by,

<ol><li>

downloaded required fonts from Google webfonts helper site

</li> <li>

removed @import from CSS

</li> <li>

removed googleapis from fontSrc and kept only "'self'" instead.

</li> </ol>

来源:https://stackoverflow.com/questions/48800051/csp-error-in-a-node-js-application

Recommend

  • CSP error in a node.js application
  • Android How to capture two consecutive frames from camera
  • H2 Database - Reorder columns using SQL
  • Strange Exception thrown using Dynamic Linq Entity Framework Query
  • angular2 - passing data object between components
  • Are there race conditions in this producer-consumer implementation?
  • What is the difference between ViewData, ViewBag and TempData? [duplicate]
  • Find column given name of title row
  • How to get optim working with matrix multiplication inside the function to be maximized in R
  • VisualStyleRenderer to bitmap
  • Git shows no merge conflicts when it should
  • monitor incoming/outgoing http traffic with .net
  • TKinter - How to stop a loop with a stop button?
  • Chartjs 2.7.3: Set Y data at the correct X position axis
  • Builder Library for Scala and Java
  • Unbinding drawables onPause() causing unresponsive back navigation and skipping this step cause memo
  • Undefined reference to pthread_create
  • .NET DBNull vs Nothing across all variable types?
  • Show Link on image at hovering in jquery
  • Index sizes in MySQL
  • When using a mask register with AVX-512 load and stores, is a fault raised for invalid accesses to m
  • localStorage data persistence
  • Azure SQL high wait time on “VDI_CLIENT_OTHER”
  • Why Does FDT Show A Java Heap Error While Packaging an Adobe AIR app for iOS (.IPA)
  • Creating an alias for emacs in read-only mode on Linux in my .tcshrc file
  • Read certain line in text file and display the next
  • hsqldb ignores first insert operation on table at server (server needs to be “warmed up”?)
  • SQL connection to localhost
  • PowerShell parameters from file
  • Generating pdfs with jsPDF compatibility issues in Firefox?
  • Laravel: Google contacts API gives empty results
  • WPF style for buttons
  • WM_POWERBROADCAST not received by message-only window in Windows XP
  • Smarter Removing Unnecessary WhiteSpace CSV
  • Rotating Towards Path in OpenGL
  • Functions by reference or by variable, which to use when?
  • Why my AngularJS async test in Jasmine 1.3.x is not working?
  • Capture SIGFPE from SIMD instruction
  • How to use FirstOrDefault inside Include
  • WPF custom control and direct content support