helmet: contentSecurityPolicy blocking cdn

when I am using app.use(helmet()) its blocking all other cdn & static urls but if I use the code below then cdn & static urls working fine.

app.use(
  helmet({
    contentSecurityPolicy: false,
  })
)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (8 by maintainers)

Most upvoted comments

alright so my final code is below which solved the svg issue too.

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: [
          "'self'",
          "'unsafe-inline'",
          'data:',
          'localhost',
          'main-domain.com',
          '*.main-domain.com',
          '*.google.com',
          '*.google.co.in',
          '*.google-analytics.com',
          '*.googlesyndication.com',
          '*.googleadservices.com',
          '*.googletagservices.com',
          '*.googleapis.com',
          '*.doubleclick.net',
          '*.gstatic.com',
          'youtu.be',
          '*.youtu.be',
          '*.youtube.com',
        ],
      },
    },
  })
)

the only issue i am facing is in production. api send all request 404 example api path '/api/user

another issue I have added google.com & google.co.in but is there any way use .google. I found it is not working

+3
krishnaTORQUE on Oct 23, 2020

I’m not sure, but I wouldn’t. If someone serves malicious code on www.google.evil.com, for example, you’d be vulnerable.

+2
EvanHahn on Oct 24, 2020

It looks like contentSecurityPolicy: false does work but was blocked by a browser cache issue. If all else fails I’ll use this.

More refined, my setup is like this (which does NOT work):

contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'", "https://cdn.buymeacoffee.com/*", "http://placekitten.com/*"]
      }
    }

The header looks like this:

default-src 'self' https://cdn.buymeacoffee.com/* http://placekitten.com/*;base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

Other http calls are working okay, even though they are not included here. So not sure what the issue is.

+1
chrisdel101 on May 6, 2023

You can disable helmet content default policy and add policy on LB/Node server

app.use((req, res, next) => {
    res.setHeader('Content-Security-Policy', "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:");
    next();
});

app.use(
  helmet.contentSecurityPolicy({
    useDefaults: false,
  }),
);
+1
opensrc0 on Jun 27, 2022

@kerimkaan It looks like you’ll need to enable CORS on the backend. Helmet doesn’t deal with CORS at all, so you may wish to read about CORS on MDN or use the cors package.

+1
EvanHahn on Jan 1, 2021
Read more comments on GitHub
← helmet: After update issue ERR_BLOCKED_BY_RESPONSE
helmet: CSP: `defaultSrc` should not be required →