Ressources not loaded after setting CSP and CORP headers using Helmet
Trying to make the web-app safer and force myself to control better future additions (JS and CSS assets on different CDNs), I'm running Helmet plugin in my Fastify (same as Express) web-app.
If I deactivate all Helmet controls like the following:
fastify.register(helmet, false) all works fine and all resources are loaded on client.
Then I tried to play (until exhaustion) with different configurations, nothing is working. The config and the browser error as the following:
{
// contentSecurityPolicy: false,
crossOriginResourcePolicy: { policy: 'same-site'},
contentSecurityPolicy: {
directives: {
...require("fastify-helmet").contentSecurityPolicy.getDefaultDirectives(),
"default-src": ["'self'"],
"style-src": ["'self'", "'unsafe-inline'", 'unpkg.com', 'cdn.jsdelivr.net',
'fonts.googleapis.com', 'use.fontawesome.com'],
"script-src": ["'self'", 'unpkg.com', "cdn.jsdelivr.net", "'unsafe-inline'"],
"img-src": ["'self'", "'data'", "*.tile.osm.org"],
"font-src": ["'self'", 'fonts.googleapis.com', 'fonts.gstatic.com', 'use.fontawesome.com']
},
},
};
Even setting
{ contentSecurityPolicy: false, crossOriginResourcePolicy: { policy: 'same-site'} }
with other variations of policy: same-origin, cross-origin none seems to work.
As you can see, I'm running on LOCALHOST too and I didn't test elsewhere.
tl;dr: disable the Cross-Origin-Embedder-Policy header, enabled by default in Helmet v5.
{
crossOriginEmbedderPolicy: false,
// ...
}
Helmet maintainer here.
Helmet sets the the Cross-Origin-Embedder-Policy HTTP response header to require-corp.
Setting this header means that loading cross-origin resources (like an image from another resource) is trickier. For example, loading a cross-origin like this...
<img alt="My picture" src="https://example.com/image.png">
...won't work unless example.com explicitly allows it, by setting some response headers of its own. Your browser will try to load example.com/image.png, and if it's not explicitly allowed, your browser will drop the response.
To fix this, you can prevent Helmet from setting the Cross-Origin-Embedder-Policy header, like this:
app.use(
helmet({
crossOriginEmbedderPolicy: false,
// ...
})
);
I made a small sample app you can use to play around with this.
- MongoDB Authentication Issues with Node.js and Mongo-Express in Docker Compose setup
- How does minecraft actually connect to a server?
- MongoDB Authentication failes for any user
- Processing an exception through Apollo Server (NestJS)
- Why doesn't CSS work when I deploy the Next.js sample project in production?
- Next.js form works locally but not on live server
- fs.readFileSync is not file relative? Node.js
- How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)
- Quasar Error: Cannot find module 'ajv/dist/compile/codegen'
- What does --save-dev (or -D) mean in npm install grunt --save-dev?
- What If Session Expires While User Is Still On The Website
- Deleting `package-lock.json` to Resolve Conflicts quickly
- Upgrading Node.js to the latest version
- Run of a next js app stuck, npm run dev doesn't work
- Mustache(-like) template engine for Express?
- How to list npm user-installed packages?
- How do I check Content-Type using ExpressJS?
- Can't run "node index.js" due to a syntaxError
- What happens if NPM ever goes belly up?
- npm install takes forever when running docker-compose
- Remix run: Authentication succeeds on validation failures
- Fixing npm path in Windows 8 and 10
- How to add a custom script to package.json that runs a javascript file?
- node-fetch azure document translator
- Unable to import ESM module in Nestjs
- how ca I fix this error after exacting npx cap add android?
- multer-gridfs error " TypeError: Cannot read properties of undefined (reading '_id') "
- How to resolve Node.js: "Error: ENOENT: no such file or directory"
- Write the contents of node debug log to file
- How to use promisify() with the spawn() function for the 'child_process'?