内容安全策略和Express.js的问题

编程问答 2022-06-11

问题描述

在学习Express教程时遇到了一些麻烦。即使我在响应标题添加了很多内容,我仍然收到内容安全策略警告。这是我用于更多上下文的服务器代码

const { MongoClient,ObjectID } = require("mongodb");
const Express = require("express")();
const Cors = require("cors");
const BodyParser = require("body-parser");
const { request } = require("express");
const csp = require("helmet-csp");

const client = new MongoClient(process.env["ATLAS_URI"]);

Express.use(BodyParser.json());
Express.use(BodyParser.urlencoded({ extended: true }));
Express.use(Cors());

Express.use(
    csp({
      directives: {
        defaultSrc: [`'unsafe-inline'`,`'self'`],scriptSrc: [`'self'`,`'unsafe-inline'`,`'unsafe-eval'`,`http://*`],styleSrc: [`'self'`,fontSrc: [`'self'`],frameSrc: [`'self'`],connectSrc: [`'self'`],imgSrc: [`'self'`],objectSrc: [`'self'`],reportUri: `/csp`
      },reportOnly: true,}),);

var collection;

Express.listen("3000",async () => {
    try {
        await client.connect();
        collection = client.db("gamedev").collection("scores");
        collection.createIndex({ "location": "2dsphere" });
    } catch (e) {
        console.error(e);
    }
});

Express.post("/create",async (request,response) => {
   // create code
});

Express.get("/get",response) => {
  // get code
});

Express.get("/getNearLocation",response) => {
 // getNearLocation code
});

基本上,每当我运行此代码并尝试使用自己拥有的客户端程序对其进行访问时,即使我似乎已经使用helmet-csp代码中设置了它们,也会遇到以下错误

Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:3000/favicon.ico (“default-src”).

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

此外,当我卷曲http://localhost:3000时,得到200 OK响应,但是当我卷曲http://localhost:3000/get或任何预定义的Express路线时,都会出现404错误

$ curl -I http://localhost:3000/
HTTP/1.1 200 OK
X-Powered-By: Express
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
Content-Length: 150
ETag: W/"96-tX0B7LKaOuUPvTVjHjbS+EAVlus"
Date: Tue,29 Sep 2020 00:27:53 GMT
Connection: keep-alive

$ curl -I http://localhost:3000/get
HTTP/1.1 404 Not Found
X-Powered-By: Express
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 143
Date: Tue,29 Sep 2020 00:31:44 GMT
Connection: keep-alive

任何帮助或配对都将不胜感激! :(我的大脑在慢慢炸

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)