Content security policy

rookie · October 7, 2022, 7:07pm

I am running a simple expressjs app with crud functionality. When attempting to post an article I am getting an error related to csp Content Security Policy: The page’s settings blocked the loading of a resource at https://express-sqlite.fly.dev/ (“default-src”). I tried all sorts of seting up csp on my express server using helmetjs like so

app.use(
  helmet.contentSecurityPolicy({
    useDefaults: false,
    directives: {
      "default-src": [`"self"`, `https://express-sqlite.fly.dev/`],
    },
  })

but still my requests are being blocked. I was wondering if anyone has faced this issue and managed to resolve it?

fideloper-fly · October 7, 2022, 7:47pm

Did you try only specifying "self"? based on these docs, it seems like just “self” should be required: CSP: default-src - HTTP | MDN

rookie · October 8, 2022, 7:11am

yes I did try self

rookie · October 8, 2022, 7:49am

I just noticed that this issue arises in firefox only. in chrome requests works just fine

Topic		Replies	Views
CORS error with Express Questions / Help nodejs	1	415	July 14, 2023
fly-client-ip on an expressJS app using a custom cert Questions / Help	3	98	April 11, 2024
Locked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Questions / Help	3	1349	May 13, 2023
Express server accessible by REST client & Edge but not Chrome Questions / Help nodejs	4	458	July 6, 2023
Did you remove services.ports.http_options.response.headers feature?	3	392	February 7, 2023

Content security policy

Related Topics