Home > other >  https://apis.google.com/js/api.js is getting blocked by csp on my production react app
https://apis.google.com/js/api.js is getting blocked by csp on my production react app

Time:10-30

I need help. https://apis.google.com/js/api.js is getting blocked by csp on my production react app. I have added the webpack config as well.

new CspHtmlWebpackPlugin({
      // 'base-uri': "'self'",
      // 'object-src': "'none'",
      'script-src': [
        "'unsafe-inline'",
        "'unsafe-eval'",
        "https://apis.google.com/js/api.js",
        "https://www.wiris.net/demo/plugins/app/configurationjs",
        "https://as.alipayobjects.com/g/component/fastclick/1.0.6/fastclick.js",
        "https://cdn.mathjax.org/mathjax/latest/MathJax.js",
      ],
      'style-src': ["'unsafe-inline'", "'self'", "'unsafe-eval'"]
    })

i am using csp-html-webpack-plugin

CodePudding user response:

Suggestions to check:

1. Check if there is a Redirect

If this is getting replicated in your local environment - try to see if there is a redirect (in the chrome network tab). For privacy reasons, in 301/302 redirects to a separate domain (that is not in the allow-list), the CSP report will contain the ORIGINAL request url, which can be very confusing.

2. Try allowing the full domain

i.e. allow https://apis.google.com instead of https://apis.google.com/js/api.js and see if it persists.

3. Extra tip

There is no need/use for 'unsafe-eval' in style-src. You can remove it.

CodePudding user response:

Looks like you have miconfigured csp-html-webpack-plugin - you have to include both HtmlWebpackPlugin and CspHtmlWebpackPlugin plugins in your webpack config because last one is based on the first one:

const HtmlWebpackPlugin = require('html-webpack-plugin');
const CspHtmlWebpackPlugin = require('csp-html-webpack-plugin');

module.exports = {
  // rest of webpack config

  plugins: [
    new HtmlWebpackPlugin()
    new CspHtmlWebpackPlugin({
       // CSP config here:
       enabled: true,

       'script-src': [
       "'unsafe-inline'",
       "'unsafe-eval'",
       "'self'",
       "https://apis.google.com/js/api.js",
       "https://www.wiris.net/demo/plugins/app/configurationjs",
       "https://as.alipayobjects.com/g/component/fastclick/1.0.6/fastclick.js",
       "https://cdn.mathjax.org/mathjax/latest/MathJax.js",
     ],
     'style-src': ["'unsafe-inline'", "'self'"],

     processFn: defaultProcessFn,
     })
  ]
}

Also do check:

  • which CSP do you really have got in the <meta equiv="content-security-policy" content="..."> tag.
  • do you have any Content-Security-Policy HTTP response header in the Dev Tool because some middleware(e g. Helmet) can publish its own default CSP.

And please add to the question a CSP error message from the browser console.

Page link:https//www.codepudding.com/other/172089.html

Prev:Webpack plugin API: getting source maps for a module during parsing
Next:Webpack importing module from different chunk instead of up-to-date version available in the same ch
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding