Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Directives can only be added in kebab case

See original GitHub issue

When using the default directives as a starting point, it’s not possible to specify other directives in camel case, only in kebab case. In other words, the following code works fine:

const express = require('express')
const helmet = require('helmet')

const app = express()

const PORT = 3000

app.use(helmet.contentSecurityPolicy({
    directives: {
        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
        'script-src': ["'self'", "example.com"]
    }
}))

app.get('/', (req, res) => {
    res.send('Hello World!')
})

app.listen(PORT, () => {
    console.log(`Example app listening at http://localhost:${PORT}`)
})

I’ve checked the Content-Security-Policy header, which correctly includes script-src 'self' example.com;. However, if I change 'script-src' to scriptSrc, I get the following error:

            throw new Error(`Content-Security-Policy received a duplicate directive ${JSON.stringify(directiveName)}`);
            ^

Error: Content-Security-Policy received a duplicate directive "script-src"

While the workaround for this issue is easy (just use kebab case), it is inconsistent that these methods do not give the same result. I propose that either both methods throw an error or both just add the directive to the default directives (which is the preferred option in my opinion).

I’m using express 4.17.1, helmet 4.3.1, and node 14.15.1.

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:8 (5 by maintainers)

Top GitHub Comments

1reaction

thomasdingemansecommented, Jan 31, 2021

You make a good point. I agree that option 4 makes the most sense and that a useDefaults setting which is disabled by default in helmet 4 and enabled by default in version 5 seems to be the most intuitive.

0reactions

EvanHahncommented, May 2, 2021

The useDefaults option was added to helmet@4.6.0 and helmet-csp@3.4.0.

The option defaults to false, but that will change to true in the next major version. You can see that work tracked in #314 and follow along with all of Helmet v5 in #309. (Help is wanted on a number of these issues!)