Search Posts

Category: csp

CSP error in a node.js application

how to CSP error in a node.js application I’ve a node.js application with a home page in angularjs. This page contains a ‘search’ box and has corresponding search.js script which runs and makes a server side query call. For security I added ‘csp’ in my node.js application with following csp configuration. const csp = require(‘helmet-csp’); app.use(helmet()); app.use(csp({ directives: { defaultSrc: [“‘self'”, ‘https://my.domain.com’], scriptSrc: [“‘self'”, “‘unsafe-inline'”], styleSrc: [“‘self'”], imgSrc: [“‘self'”], connectSrc: [“‘self'”], fontSrc: [“‘self'”, ‘https://fonts.googleapis.com’], objectSrc: […]

use sha for CSP in chrome app for inline <script> tag (angular)

I meet a problem using angular in Chrome app because of CSP violation. I tried to add hash to inline tag, but app dont recognise CSP manifest key There were warnings when trying to install this extension: *Unrecognized manifest key ‘Content-Security-Policy’. The part of the code, which making a problem is <script>System.import(‘main.js’).catch(function(err){ console.error(err); });</script> Manifest.js { “name”: “test-app”, “version”: “0.1”, “description”: “Test.”, “manifest_version”: 2, “minimum_chrome_version”: “40.0.2213.0”, “app”: { “background”: { “scripts”: [“background.js”] } }, “permissions”: […]