-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'self' and 'none' values lack quotes #454
Comments
In the short term: You need to quote these values yourself. For example, In the long term: It seems reasonable that Helmet would do this for you, as it's unlikely that users intend to use self/none as origins. I'll think about whether this is a better API in future versions. Feedback welcome! |
Also encountered: app.use(helmet({
contentSecurityPolicy: {
directives: {
'script-src': [`'self'`, `'sha256-${serviceWorkerHash.digest('base64')}'`]
}
}
})) Our current CSP:
Of course this will be a semver-major change unless code is added to wrap the values only if no quote is present and only on the fixed values of "self" and "none". What is the use case for not auto-adding quotes to these? Don't understand what is implied here:
|
It's theoretically possible that someone wants to specify However, I think this is so unlikely that Helmet doesn't need to support it. My plan:
|
- replaces HTML5Rocks URL with web.dev (redirect), add links to relevant MDN docs - adds doc sections/ anchors for defaults, computed directives, disabling directives, and report only header - clarifies that defaultSrc will default to 'self' (and is thus not required to the user) when useDefaults: true - solves helmetjs#404, documents function signature and adds conditional CDN script-src loading example - adds a common recipe to generate subresource-integrity hashes - documents caveat of non-hostname values mentioned in helmetjs#454
To reproduce:
Set helmet with a CSP:
Expected result:
All pages have CSP header with
... default-src 'self'; child-src 'none'...
Actual result
All pages have CSP header with
... default-src self; child-src none...
which are interpreted by Firefox as origins named "self" and "none". Thus, the actual CSP is not what is intended.
The text was updated successfully, but these errors were encountered: