Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

contentSecurityPolicy blocking cdn

See original GitHub issue

when I am using app.use(helmet()) its blocking all other cdn & static urls but if I use the code below then cdn & static urls working fine.

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
)

Issue Analytics

State:
Created 3 years ago
Comments:19 (7 by maintainers)

Top GitHub Comments

2reactions

EvanHahncommented, Oct 24, 2020

I’m not sure, but I wouldn’t. If someone serves malicious code on www.google.evil.com, for example, you’d be vulnerable.

2reactions

krishnaTORQUEcommented, Oct 23, 2020

alright so my final code is below which solved the svg issue too.

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: [
          "'self'",
          "'unsafe-inline'",
          'data:',
          'localhost',
          'main-domain.com',
          '*.main-domain.com',
          '*.google.com',
          '*.google.co.in',
          '*.google-analytics.com',
          '*.googlesyndication.com',
          '*.googleadservices.com',
          '*.googletagservices.com',
          '*.googleapis.com',
          '*.doubleclick.net',
          '*.gstatic.com',
          'youtu.be',
          '*.youtu.be',
          '*.youtube.com',
        ],
      },
    },
  })
)

the only issue i am facing is in production. api send all request 404 example api path '/api/user’

another issue I have added google.com & google.co.in but is there any way use .google. I found it is not working

Top Results From Across the Web

Content Security Policy (CSP) - HTTP - MDN Web Docs

Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...

How to fix 'because it violates the following content security ...

Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator....

Content-Security-Policy Header CSP Reference & Examples

The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.

How to Set Up a Content Security Policy (CSP) in 3 Steps

A CSP is an added layer of protection for your website that can help detect and block malicious data injections and XSS from...

All CDN's blocked by Content Security Policy - Stack Overflow

CASE 1 (works): When I just move my HTML file in the browser (so C://... .html) it works and gets all cdn's.