当我启动我的快速应用程序时,浏览器会给我这个错误:
Refused to load the script 'http://localhost:1337/main.js' because it violates
the following Content Security Policy directive: "script-src unsafe-eval".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
在我的 index.js 文件中,我已经像这样设置了 Helm :// Set Content Security Policies
const scriptSources = ["'self'", "'unsafe-inline'", "'unsafe-eval'"];
const styleSources = ["'self'", "'unsafe-inline'"];
const connectSources = ["'self'"];
app.use(
helmet.contentSecurityPolicy({
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
scriptSrcElem: scriptSources,
styleSrc: styleSources,
connectSrc: connectSources,
reportUri: '/report-violation',
reportOnly: false,
safari5: false
})
);
app.use(helmet({
contentSecurityPolicy: false,
}));
我的 index.html 正在像这样加载到 .js 文件中:<script type="module" src="./main.js"></script>
这是我的 GitHub 存储库:https://github.com/jgonzales394/fsn.pw
最佳答案
Helm 维护者在这里。发生这种情况是因为您的指令需要嵌套在 directives
下。属性(property)。
例如:
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: scriptSources,
// ...
},
})
)
关于javascript - 如何正确设置helmet.js 以解决CSP 问题?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64762132/