helmet blocks external links

[kennethaasan]

Hi,

Thank you for this wonderful project.

I got one problem that I can't figure out. External links (<a href="http://google.com target="_blank">Google</a>) doesn't work with Chrome and Safari, but works on Firefox. What have I done wrong in my config?

app.use(helmet.contentSecurityPolicy({
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'"],
    connectSrc: ["'self'"],
    fontSrc: ["'self'"],
    sandbox: ['allow-forms', 'allow-scripts', 'allow-same-origin'],
    // reportUri: '/report-violation',
    reportOnly: false, // set to true if you only want to report errors
    setAllHeaders: false, // set to true if you want to set all headers
    disableAndroid: false, // set to true if you want to disable Android (browsers can vary and be buggy)
    safari5: false // set to true if you want to force buggy CSP in Safari 5
}));

[EvanHahn]

Can you open up your devtools so we can see what the CSP looks like?

[kennethaasan]

Here is a screenshot of how the response looks like:

There no information in the console that something happened with CSP. But when I disable helmet on the Node server, I'm able to click on external links.

Best regards,
Kenneth

[EvanHahn]

Not sure what's wrong here. A guess: try adding allow-top-navigation to the sandbox part of your directive and see what happens.

[EvanHahn]

@kennethaa Any luck with that?

[EvanHahn]

@kennethaa I'd love to get this issue closed. Are you still having this issue?

[kennethaasan]

Hi @EvanHahn ,

Sorry for not responding. I've stopped using contentSecurityPolicy for now, so I can reopen if this is happening when I'm using it again.