Loading favicon icon from Express web server causes Content-Security-Policy violation

问题

I get the following error when I try to load the website I am creating

Refused to load the image 'http://167.71.89.74/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

It looks like my attempts to fix the error change the X-Content-Security-Policy, but not the Content-Security-Policy.

I am using a simple Express server to load the page requests.

I found this question and added a meta tag to my Index.html, but that didn't fix the error.

violates the following Content Security Policy directive

Here is the meta tag I added

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'">

I also tried changing my Express code to do a setHeader as described in the answer to this question

nodeJS https - unable to set Content-Security-Policy

Here is my setHeader code

app.use(function(req, res, next) {
  res.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
  return next();
});

I then found out about Helmet which has a module that allows you to set content security policy. Here is my Helmet code

const csp = require('helmet-csp');

app.use(csp({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    connectSrc: ["'self'"],
    imgSrc: ["'self'"],
    styleSrc: ["'self'"]
  }
}));

When I run the following curl command

curl http://167.71.89.74/ --include

I get this

HTTP/1.1 404 Not Found
Content-Security-Policy: default-src 'none'
X-Content-Security-Policy: default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'
X-WebKit-CSP: default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 139
Date: Fri, 09 Aug 2019 19:53:14 GMT
Connection: keep-alive

It looks like my code is setting the X-Content-Security-Policy, but not the Content-Security-Policy.

To fix my error, do I need to make some other change to set the Content-Security-Policy in addition to the X-Content-Security-Policy?

来源：https://stackoverflow.com/questions/57436508/loading-favicon-icon-from-express-web-server-causes-content-security-policy-viol

标签

node.js

express

favicon

content-security-policy