Violation of the security policy in nodeJS

Question

I'm trying to learn NodeJS and I am at the session part ( see if a user is logged in or not ) I wrote a code stating that IF HE IS logged in, it shows a page and IF HE IS NOT, it shows another one :

app.get('/home', function(request, response) {
// If the user is loggedin
if (request.session.loggedin) {
    // show the home page of logged users
    response.sendFile(path.join(__dirname+'/views/loggedin/index.html'));
    
} else {
    // Not logged in
    response.send('Please login to view this page! <a href="login">login</a>');
}
//response.end();


 });

It works properly except ONE LITTLE THING. It doesn't want to load the scripts. It is the exact same code at the home page but it doesn't allow me to load it.

The console errors

HTML :

<html>
    <head>
      
      <script src="https://cdn.tailwindcss.com"></script>
      <script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>
     
    </head> 
<body p-0 m-0>
<div id="header"></div>
  <script src="https://cdn.jsdelivr.net/gh/alpinejs/alpine@v2.x.x/dist/alpine.min.js" defer></script>
  <div class="w-full text-gray-700  dark:text-gray-200 dark:bg-gray-900">
    
     
<div class="w-full grid place-items-center text-5xl h-screen">GACHA GAME IN NODEJS

  


</div>

<div class="container" align="center">



</div> <!-- container -->
</body>
</html>

<script>
  $("#header").load("navbar");
  </script>

This is the script : It's the CDN of tailwind, it's in the HTML `` — , Apr 16 '22 at 21:05
I can't tell if your comment formatting is messed up or if the actual `script` tag is messed up. Can't see the whole script tag in your comment. Please use a single backquote before and after the tag to fix the formatting. — jfriend00, Apr 16 '22 at 21:08
So, there must be something else in the web page that is affecting that ` — jfriend00, Apr 16 '22 at 21:16
Like I said, I litteraly copy pasted the code from the home page, and it doesn't load only when the user is connected [The code](https://imgur.com/a/poyw8AP) Sorry, couldn't find another way to show it all — , Apr 16 '22 at 21:18
I can't read that screenshot. Why can't you paste the HTML into your question? Code or HTML in images is not the recommended practice on this site. — jfriend00, Apr 16 '22 at 21:24

score 0 · Accepted Answer · answered Apr 17 '22 at 02:44

The error that you provided says that was not able to load the scripts due the Content Security Policy, So i think you should set the content security policy with any external script:

app.get('/home', function(request, response) {
// If the user is loggedin
  if (request.session.loggedin) {
      response.sendFile(path.join(__dirname+'/views/loggedin/index.html'));    
  } else {
      // setting the header here
      res.set({"Content-Security-Policy": "script-src-elem self https://cdn.jsdelivr.net/gh/alpinejs/alpine@v2.x.x/dist/alpine.min.js https://code.jquery.com/jquery-3.6.0.min.js https://cdn.tailwindcss.com;"})
      response.send('Please login to view this page! <a href="login">login</a>');
  } 
});

or you can add a meta tag in your html file as well, see this question. But be aware with this approach because it can allow XSS attacks.

Putting it in the else doesn't change anything, but putting it in the IF gives me a `GET https://cdn.tailwindcss.com/ net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 302` Sorry to lose your time here . but neither this or the meta tags works — , Apr 17 '22 at 08:44
EDIT : it seems that it was the helmet who caused the problem ! I deleted the app.use('helmet') — , Apr 17 '22 at 12:51

Violation of the security policy in nodeJS

1 Answers1