My locale NUXT JavaScript files are being blocked by Content Security Policy

I've been working on implementing CSP headers for my website to ensure data is loaded from trusted sources.

However, I'm facing an issue where CSP is blocking my local JS files. Here's a snippet from my nuxt.config.js:

const self = 'localhost:*'
render: {
    csp: {
        reportOnly:false,
        addMeta: true,
        policies: {
            'default-src': [self],
            'script-src': [self, 'unsafe-inline','strict-dynamic'],
            'style-src': [self,'unsafe-inline'],
            'img-src':[self,'data:'],
            'object-src':[self,'self']
        }
    }
},

The following files are being blocked:

http://localhost:3500/_nuxt/runtime.js
http://localhost:3500/_nuxt/layouts/default.js
http://localhost:3500/_nuxt/pages/index.js
http://localhost:3500/_nuxt/commons/app.js
http://localhost:3500/_nuxt/vendors/app.js
http://localhost:3500/_nuxt/app.js

The error message reads:

Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'sha256-6SIdoCBgtiLdpIihMzGUvd5OCiaDdcIHhB8Tzkn9l8M='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

To delve deeper into this issue, I recommend checking the header request in the network tab for more insights. It's strange how sometimes it loads the same JS file and other times throws an error...

https://i.stack.imgur.com/n6tNZ.png

javascriptvue.jssecuritynuxt.js

Answer №1

Referencing examples from mdn documentation below might help in solving your issue. For more detailed examples, please visit here

Example 1

If a web site administrator wants all content to come from the site's own origin (excluding subdomains), they can use:

Content-Security-Policy: default-src 'self'

Example 2

To allow content from a trusted domain and its subdomains (not necessarily the same domain as the CSP is set on), an administrator can use:

Content-Security-Policy: default-src 'self' trusted.com *.trusted.com

Example 3

In case a web site administrator aims to enable users of a web application to include images from any origin in their content, while restricting audio or video media to trusted providers, and scripts only to a specific server hosting trusted code, they can implement:

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

This setup allows content only from the document's origin by default, with certain exceptions such as allowing images from any source, limiting media to specified domains, and permitting scripts from a designated server.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Whenever I attempt to use for or while loops in my application, it consistently crashes

I've recently started learning reactjs and I'm working on a simple app. I created a decrement button that should only work if the item count is greater than or equal to zero. However, when I tried using while and for loops in my code, my app cras ...

javascriptreactjs

Why does the pound symbol in z-index always show up in Angular?

Having an issue with my code where I set a z-index in the CSS like this: .mat-mini-fab { position: absolute; right: 5px; top: 4px; z-index: 999; box-shadow: none !important; } However, whenever I visit my site, the z-index is not being appl ...

javascriptcssangulartypescript

Analyzing and swapping objects within two arrays

Looking for a better way to append an array of objects customData to another array testData? If there are duplicate objects with the same name, replace them in the resulting array while maintaining their order. Here's my current approach in ES6 - any ...

javascriptecmascript-6

What are the steps to clipping a canvas using CSS clip-path?

When it comes to clipping a canvas, there are multiple methods that can be used. One way is to create a path with getContext('2d') and set globalCompositeOperation. Another method involves using -webkit-clip-path or clip-path, though the latter m ...

javascriptcsshtmlcanvaswebkit

Troubleshooting JavaScript for Sidebar Disappearance due to marginRight and display CSS Issue

I need to adjust the layout of my website so that the sidebar disappears when the window is resized below a certain width, and then reappears when the window is expanded. Here is the HTML code: <style type="text/css"> #sidebar{ width:290 ...

javascriptjquerycsshidesidebar

Cannot find property in type, and the parameter is implicitly of an unspecified type

I've been encountering this issue where I keep getting an error message. I attempted to resolve it by setting "noImplicitAny": false in tsconfig.json, but unfortunately that did not work. As for the 'Property does not exist on type' error, I ...

javascripthtmlangulartypescriptfirebase

Creating a list of identical elements with shared attribute values using nightwatch.js or JavaScript - a step-by-step guide

I have been using nightwatch.js for automating tests on a web application, and I am facing difficulties in creating a list of elements that share common values in their attributes. Below is an example: The first three spans with a common value for the att ...

javascriptjqueryui-automationui-testingnightwatch.js

Setting up route handlers in Node.js on a pre-initialized HTTP server

Is there a way to add route handlers to an http server that is already instantiated? Most routers, including express, typically need to be passed into the http.createServer() method. For instance, with express: var server = http.createServer(app); My r ...

javascriptnode.jsexpressroutes

An error has occurred: Noty (notification library) is not defined in this AngularJS Web Application

I am currently diving into the world of AngularJS and building a web application from scratch. As a newbie to AngularJS, I want to point out that I might be missing something crucial. An issue has arisen: After installing the Noty library (npm install no ...

javascriptangularjsnpmdefinednoty

Making sure the axios API call is completed before rendering the child component with props

Check out the snippet of code I've provided: function StoryCarousel(props) { const [ivrDests, setIVRDests] = useState([]); useEffect(() => { async function getIVRDests() { var data = { "customer-id": ...

javascriptreactjsreact-reduxreact-hooksuse-effect

Expo background fetch initialized but not activated

During the development of my React Native app, I encountered the need to perform periodic background fetches from another server. To achieve this, I utilized two classes from Expo: import * as BackgroundFetch from 'expo-background-fetch'; import ...

javascriptreactjstypescriptreact-nativeexpo

A guide to integrating Material-UI with your Meteor/React application

I encountered an issue while trying to implement the LeftNav Menu from the Material-UI example. The error message I received is as follows: While building for web.browser: imports/ui/App.jsx:14:2: /imports/ui/App.jsx: Missing class properties transf ...

javascriptmeteorreactjsnpmmaterial-ui

Click and release file upload

I am working on creating a drag and drop upload feature where the user can drop files onto a div, and then click an upload button to send them to the server. I'm facing an issue with JavaScript not recognizing the variable fd. How can I pass that vari ...

javascriptjqueryajaxdrag-and-drop

Vue and Typescript. Report: Module cannot be located: Could not locate file './components/mycomponent.vue'

Using both Vue.js with TypeScript and TypeScript in Express was smooth sailing until I attempted to incorporate single file components in Vue.js. Below is the code for my component: <template> <div>This is a simple component. {{msg}}</d ...

vue.js

Why do static files in Node.js + Express.js on Windows take up to two minutes to load?

I'm encountering an issue in my Windows environment with Node.Js/Express.js where static JS files can sometimes be labeled as 'pending' in the browser (even with caching disabled) for up to two minutes before finally downloading successfully ...

javascriptnode.jsexpressstatic-files

Script for uploading multiple images without using flash, with customization options available for each individual upload

Looking for a non-flash images uploader script that has the following features: Ability to upload multiple files Supports drag and drop functionality Displays progress bar for each upload Shows small preview of each upload Allows for resumable downloads ...

javascriptjqueryajaxfile-upload

Transfer or duplicate an SVG image from the bottom div to the top div

Is there a way to move a div from the chart_div to the movehere div? I've tried duplicating it below the current svg, but I'm having trouble targeting just the header row ('g' element) specifically. Here is the HTML: <script type= ...

javascriptjqueryhtmlcsssvg

Invoke a function from a neighboring component using React hooks

Is there a way to call a function from another component using props or context? I've attempted to do this using props and context, but I'm getting confused as I need to pass an actual function with parameters. The goal is to invoke the handleS ...

javascriptreactjs

Connecting Vue component data to external state sources

I am facing a challenge with integrating a Vue component into a large legacy system that is not based on Vue. This component retrieves data through AJAX requests and displays information based on an array of database record IDs, typically passed at page lo ...

javascriptajaxvue.jsvuejs2vue-component

Creating formGroups dynamically for each object in an array and then updating the values with the object data

What I am aiming to accomplish: My goal is to dynamically generate a new formGroup for each recipe received from the backend (stored in this.selectedRecipe.ingredients) and then update the value of each formControl within the newly created formGroup with t ...

javascriptangulartypescriptangular-reactive-forms