[v5] CSP config for 'self' is broken? #3233

bjornarhagen · 2021-10-09T22:17:32Z

bjornarhagen
Oct 9, 2021

Hello!
So I've followed the docs on how to setup the adonisjs/shield package. I've got CSRF working, and now I'm looking into CSP.
It seems the configuration is broken, or maybe I'm just using it wrong? Any help here would be greatly appreciated.

Here is the config:

export const csp: ShieldConfig['csp'] = {
    enabled: true,
    directives: {
        defaultSrc: ['self']
    }
}

From my understanding of CSP, this should allow all resources to load as long as it's from the same origin.
Howoever, with this setup everything gets blocked.

Looking at the network tab in my dev tools, I can see the request header contains this:

Content-Security-Policy: default-src self

Looking at the docs for CSP, self should be wrapped in single qoutes, like so:

Content-Security-Policy: default-src 'self'

If I change to defaultSrc: ["'self'"] it works, but is this how it should work? If so maybe the Adonis docs should be updated to reflect this.

Answered by thetutlage

Oct 10, 2021

Yup. Docs needs to be fixed here. Can you please create a PR for the same?

View full answer

thetutlage · 2021-10-10T04:08:56Z

thetutlage
Oct 10, 2021
Maintainer

Yup. Docs needs to be fixed here. Can you please create a PR for the same?

1 reply

bjornarhagen Oct 10, 2021
Author

Ok, here you go adonisjs/v5-docs#76 :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AdonisJS Framework

[v5] CSP config for 'self' is broken? #3233

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

AdonisJS Framework

[v5] CSP config for 'self' is broken? #3233

bjornarhagen Oct 9, 2021

Replies: 1 comment · 1 reply

thetutlage Oct 10, 2021 Maintainer

bjornarhagen Oct 10, 2021 Author

bjornarhagen
Oct 9, 2021

Replies: 1 comment 1 reply

thetutlage
Oct 10, 2021
Maintainer

bjornarhagen Oct 10, 2021
Author