Answer the question
In order to leave comments, you need to log in
F
F
fessss2021-01-18 17:56:10
fessss, 2021-01-18 17:56:10
Content Security Policy Error?
I do a local assembly of the project and everything works fine.
As soon as I deploy to a test server, requests stop working and an error occurs
chunk-vendors.cfebedd7.js:63 Refused to load the script 'https://az416426.vo.msecnd.net/scripts/a/ai.0.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.Why is this and how to fix it?
1 answer(s)
@granty
If you don't want to mess with CSP yet, disable it. Most likely, these are the "tricks" of Helmet 4. There it is simply turned off:
while other security headers from Helmet will continue to work.
G
granty, 2021-01-19 @granty
On your test server , an HTTP header or a Content-Security-Policy (CSP) meta tag with the directive .
It only allows scripts to be loaded from the site's own domain ('self') and allows eval expressions: eva(), Function(), setTimeout("string", 2000), etc.
You need to add source host ` https://az416426.vo.msecnd.net ` to script-src:script-src 'self' 'unsafe-eval'
script-src 'self' 'unsafe-eval' https://az416426.vo.msecnd.net;If you don't want to mess with CSP yet, disable it. Most likely, these are the "tricks" of Helmet 4. There it is simply turned off:
helmet({
contentSecurityPolicy: false,
})while other security headers from Helmet will continue to work.
Similar questions
A
P
R
B
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question