3

Just upgraded to latest FF, and ALL of my backend dev is now broken.

Code example:

server.js

'use strict'
// dependencies
const bodyParser = require('body-parser')
const cors = require('cors')
const express = require('express')


// local definitions
const port = process.env.PORT || 4201
const bugsAPI = require('./bugs.api.js')

const app = express()

// Middleware
app.use(cors())
app.options('*',cors())
var allowCrossDomain = function(req,res,next) {
    res.header('Access-Control-Allow-Origin', '*')
    res.header('Access-Control-Allow-Methods', 'GET, PUT, POST, DELETE')
    res.header('Access-Control-Allow-Headers', 'Content-Type')
    next();
}
app.use(allowCrossDomain)
app.use(bodyParser.json())
app.use('/api/bugs', bugsAPI)


app.listen(port, () => console.log(`Server started on port ${port}`))

bugs.api.js

const router = require('express').Router()
const mongodb = require('mongodb')

const config = require('./mongo.config.json')

// load current bugList on first request
router.get('/', async (req, res) => {
  const bugList = await loadBugsCollection()
  res.send(await bugList.find({}).toArray())
})

// Get list of bugs
async function loadBugsCollection() {
  const client = await mongodb.MongoClient.connect(
    config.mongo_hook,
    {
      useNewUrlParser: true,
      useUnifiedTopology: true
    }
  )

  return client.db(config.db).collection('tickets')
}

module.exports = router

the following solutions have NOT worked:

Loading of a resource blocked by Content Security Policy

How to fix 'Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:8080/favicon.ico (“default-src”).'

https://lollyrock.com/posts/content-security-policy/

Helmet CSP not working correctly?

How to configure CSP-headers with express/node.js?

https://github.com/nextcloud/server/issues/12724

how to correct issue with nodejs with react app not loading content properly related to Content Security Policy

Call to function() blocked by CSP even after adding 'unsafe-eval'

https://github.com/helmetjs/helmet

Make Angular working with restrictive Content Security Policy (CSP)

Content security policy blocking remote CSS background image

Content Security Policy "data" not working for base64 Images in Chrome 28

It all worked last week. Super frustrated with this breaking change; please help!!

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
milo
  • 47
  • 3
  • https://stackoverflow.com/questions/51469937/helmet-csp-not-working-correctly did not solve problem – milo Nov 13 '19 at 03:45
  • https://helmetjs.github.io/docs/csp/ did not solve problem – milo Nov 13 '19 at 03:47
  • https://stackoverflow.com/questions/57436508/loading-favicon-icon-from-express-web-server-causes-content-security-policy-viol did not solve problem – milo Nov 13 '19 at 03:49
  • https://stackoverflow.com/questions/48800051/csp-error-in-a-node-js-application did not solve problem – milo Nov 13 '19 at 03:52
  • https://stackoverflow.com/questions/52291783/nodejs-https-unable-to-set-content-security-policy did not solve problem – milo Nov 13 '19 at 03:53
  • 1
    What errors are you seeing? What isn't working? – Evan Hahn Nov 14 '19 at 14:38
  • 1
    @EvanHahn, thanks, should have included that. Errors are in the browser console, server console reports no errors ` Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”). Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). 2 preload.js:169:52 Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”). element-collapser.js:88:56 ` Also a favicon error. Not even trying to load a favicon, just expecting to see JSON. – milo Nov 15 '19 at 21:32
  • 1
    It looks like, somewhere, someone is setting the `Content-Security-Policy` header that's blocking some stuff from happening. Is that something you can find and update to fix this problem? – Evan Hahn Nov 16 '19 at 21:18
  • 1
    @EvanHahn, that is what has me stumped. I have set the CSP in every way i can google. Tried disbling in the browser. Set it serverside using cors, helmet, express-csp, helmet-csp... The errors show attempts to load stuff i am not even trying to serve, such as favicons, stylesheets, and eval statements. None of those are even in the project. The errors also reference js files that are not in the project, so they must be coming from the compiler. Thanks for your support. Very discouraged, stepped away from learning dev for a bit over this. Maybe the next browser update will fix it? – milo Nov 17 '19 at 01:39
  • 1
    Hmm, that may fix it. What does the `Content-Security-Policy` header look like in the Network tab of your browser's web inspector? Is there a CSP in a `` tag on the page? Does the same error happen on other browsers? – Evan Hahn Nov 17 '19 at 17:23
  • 1
    @EvanHahn, thanks for the idea to look at the Network tab. Same error occurs in Chrome. Away from my desk but will check that out and report back – milo Nov 19 '19 at 20:05
  • @milo How are you? Does this problem fixed? – Yohan W. Dunon May 30 '21 at 12:56
  • I’m voting to close this question because OP clearly walked away from this years ago, and no current or future visitors benefits from this post showing up on SO and google results. – Mike 'Pomax' Kamermans Feb 18 '23 at 20:40

0 Answers0