我使用Helmet 4.4.1版本进行了尝试,以下两个版本都设置为true,用于升级不安全的请求CSP
upgradeInsecureRequests: [] and upgradeInsecureRequests: ['true']
以上哪种格式正确?
这对我有效:
app.use(
helmet.contentSecurityPolicy({
directives: {
"script-src": ["'self'"],
upgradeInsecureRequests: null
},
})
);
将upgradeInscureRequests设置为null:
upgradeInsecureRequests: null
这对我有效:
defaultDirectives = helmet.contentSecurityPolicy.getDefaultDirectives();
delete defaultDirectives['upgrade-insecure-requests'];
app.use( helmet() );
app.use(helmet.contentSecurityPolicy({
directives: {
...defaultDirectives,
},
}));
delete部分移除defaultDirectives对象中的upgrade-insecure-requests密钥。
经过几个小时的尝试和错误,我已经开始工作了。我是这样做的:
const defaultCspOptions = helmet.contentSecurityPolicy.getDefaultDirectives();
delete defaultCspOptions["upgrade-insecure-requests"]
app.use(helmet({
contentSecurityPolicy: {
useDefaults: false,
directives: { ...defaultCspOptions },
})
)
就像尼科·塞拉诺的回答一样,是的。事实上,它激发了这一点。我只是加了useDefaults: false。否则,即使'upgrade-insecure-requests'属性在defaultCspOptions中不再存在,头盔也会自动使用默认值重新应用任何丢失的属性。使delete部分变得无用。
已解决:我们可以简单地添加upgradeInscureRequests:[]