Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CSP policy not working properly
See original GitHub issueHello , I have read the documentaion over and over again and tried various thing but CSP policy is not allowing imgaes from imgur here is the code
app.use(
helmet.contentSecurityPolicy({
"default-src": ["'self'"],
"base-uri": ["'self'"],
"block-all-mixed-content": [],
"font-src": ["'self'"],
" frame-ancestors": ["'self'"],
"img-src ["'self'", "https://imgur.com/"],
" object-src": ["'none'"],
"script-src": ["'self'"],
"script-src-attr": ["'none'"],
" style-src": ["'self'", "https: 'unsafe-inline'"],
"upgrade-insecure-requests": []
})
)
what am i doing wrong here??
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
How to fix 'because it violates the following content security ...
Content Security Policy blocks all resources that don't match it's policy. To view the policy for a specific website use the CSP Evaluator....
Read more >CSP errors and warnings (Content Security Policy) - HTTP
When you see any of the following messages logged in the browser devtools console, it indicates that a problem related to CSP has...
Read more >Content security policy not working - Stack Overflow
I'm using firefox, and it is working for me. This is the header I'm adding in response: Content-Security-Policy: default-src 'none'.
Read more >Content Security Policy (CSP) Not Implemented - Invicti
A Content Security Policy (CSP) Not Implemented is an attack that is similar to a Server-Side Template Injection (JinJava) that -level severity.
Read more >Website not working after adding/modifying Content-Security ...
Web application stops working or some of elements are not displayed after inserting/modifying Content-Security-Policy HTTP header.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The reason why it is not working is the options object you are using. As stated in the documentation:
options.directives is an object.Or, if you prefer the raw code: (https://github.com/helmetjs/helmet/blob/cb170160e7c1ccac314cc19d3b979cfc771f1349/middlewares/content-security-policy/index.ts#L61)
I do think though this could be either pointed at more directly in the docs or print a warning when CSP is invoked with options object that doesn’t have the directives prop.
Hope that helped
I think @BobbySpoon is right. In other words, you need to go from this:
To this:
I’m going to close this issue because I think this solves your problem, but let me know if that’s wrong and I can reopen.