Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Not loading due to Content Security Policy Directive on CDN requests

See original GitHub issue

This issue pertains to the following package(s):

  • GraphQL Playground - Electron App
  • GraphQL Playground HTML
  • GraphQL Playground
  • GraphQL Playground Express Middleware
  • GraphQL Playground Hapi Middleware
  • GraphQL Playground Koa Middleware
  • GraphQL Playground Lambda Middleware

What OS and OS version are you experiencing the issue(s) on?

MacOS 10.15.6 (Catalina), all browsers.

What version of graphql-playground(-electron/-middleware) are you experiencing the issue(s) on?

latest

What is the expected behavior?

I would expect to load the GraphQL playground.

What is the actual behavior?

Stuck at “Loading GraphQL Playground” screen with the following errors in console:

Refused to load the image 'http://cdn.jsdelivr.net/npm/@apollographql/graphql-playground-react@1.7.33/build/favicon.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".

graphql:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/@apollographql/graphql-playground-react@1.7.33/build/static/js/middleware.js' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

graphql:531 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-PT+YOJyhu3IamY7Pf1cnvQbDxlHIK2FjqtA7GQoyN5U='), or a nonce ('nonce-...') is required to enable inline execution.

graphql:1 Refused to load the image 'https://cdn.jsdelivr.net/npm/@apollographql/graphql-playground-react@1.7.33/build/favicon.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".

What steps may we take to reproduce the behavior?

Attempt to visit graphql-playground.

Please provide a gif or image of the issue for a quicker response/fix. image

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:19
  • Comments:20

github_iconTop GitHub Comments

262reactions
CatsMiaowcommented, Oct 5, 2020

I had the same problem and solved it. This is a problem with setting the “Content-Security-Policy” header value that the web server responds. image need to delete or modify the setting.

In my case, the helmet module was responding, and I solved it by modifying it as follows.

app.use(helmet({ contentSecurityPolicy: (process.env.NODE_ENV === 'production') ? undefined : false }));
38reactions
kweijcommented, Jan 14, 2022

For those of you running into this after upgrading helmet to v5 or higher (as I did), you will also get a console error and blocked response because of COEP/CORP headers (in Chrome, but not in Firefox). This happens because the initial request to cdn.jsdelivr.com yields a 307 Temporary Redirect from http to https (because of the HSTS configuration on the jsdelivr side). This redirect itself does not contain the proper CORP headers – I think.

I have addressed this at jsdelivr’s repo: https://github.com/jsdelivr/jsdelivr/issues/18201#issuecomment-1012912236

To circumvent this, also disable the crossOriginEmbedderPolicy header:

  app.use(helmet({ contentSecurityPolicy: false, crossOriginEmbedderPolicy: false }))
Read more comments on GitHub >

github_iconTop Results From Across the Web

How to fix 'because it violates the following content security ...
Refused to load the script 'https://cdn.mycompany.com/scripts.js' because it violates is stating that the script https://cdn.mycompany.com/scripts.js was ...
Read more >
The page's settings blocked the loading of a resource - Stack ...
One reason for "Content Security Policy: The page's settings blocked the loading of a resource" is if JavaScript is not enabled or blocked...
Read more >
Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >
What is Content Security Policy (CSP) | Header Examples
script-src—locations from which external scripts can be loaded. If your website or application does not use client-side scripting, set the value to none....
Read more >
Content Security Policy (CSP) - Pendo Help Center
While Pendo is compatible with strict CSP directives, it is the user's responsibility to ensure the guide content is compatible with your CSP...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Missing build/static directory in the latest release

Next page

Last Stable Releases Roadmap