过去几个月,我们一直在centOS上运行Node.js应用程序。最近,我们在部署时会间歇性地遇到这个错误。可能是什么问题?
error: uncaughtException: invalid csp policy - must be array, string, or plain object date=Fri May 06 2016 11:07:48 GMT+0530 (IST), pid=5175, uid=0, gid=0, cwd=/, execPath=/usr/local/bin/node, version=v5.10.1, argv=[/usr/local/bin/node, /home/ubuntu/xxxxxx/server.js], rss=83447808, heapTotal=63200032, heapUsed=40600280, loadavg=[1.04150390625, 0.81201171875, 0.5048828125], uptime=565, trace=[column=null, file=null, function=Error, line=null, method=null, native=true, column=11, file=/home/ubuntu/xxxxxx/node_modules/lusca/lib/csp.js, function=module.exports.createPolicyString, line=60, method=exports.createPolicyString, native=false, column=13, file=/home/ubuntu/xxxxxx/node_modules/lusca/lib/csp.js, function=Function.module.exports [as csp], line=23, method=module.exports [as csp], native=false, column=40, file=/home/ubuntu/xxxxxx/node_modules/lusca/index.js, function=null, line=33, method=null, native=false, column=null, file=null, function=Array.forEach, line=null, method=forEach, native=true, column=28, file=/home/ubuntu/xxxxxx/node_modules/lusca/index.js, function=module.exports, line=29, method=exports, native=false, column=9, file=/home/ubuntu/xxxxxx/server.js, function=, line=99, method=null, native=false, column=34, file=module.js, function=Module._compile, line=413, method=_compile, native=false, column=10, file=module.js, function=Object.Module._extensions..js, line=422, method=Module._extensions..js, native=false, column=32, file=module.js, function=Module.load, line=357, method=load, native=false, column=12, file=module.js, function=Function.Module._load, line=314, method=Module._load, native=false, column=10, file=module.js, function=Function.Module.runMain, line=447, method=Module.runMain, native=false, column=18, file=node.js, function=startup, line=146, method=null, native=false, column=3, file=node.js, function=null, line=404, method=null, native=false], stack=[Error: invalid csp policy - must be array, string, or plain object, at Error (native), at module.exports.createPolicyString (/home/ubuntu/xxxxxx/node_modules/lusca/lib/csp.js:60:11), at Function.module.exports [as csp] (/home/ubuntu/xxxxxx/node_modules/lusca/lib/csp.js:23:13), at /home/ubuntu/xxxxxx/node_modules/lusca/index.js:33:40, at Array.forEach (native), at module.exports (/home/ubuntu/xxxxxx/node_modules/lusca/index.js:29:28), at Object.<anonymous> (/home/ubuntu/xxxxxx/server.js:99:9), at Module._compile (module.js:413:34), at Object.Module._extensions..js (module.js:422:10), at Module.load (module.js:357:32), at Function.Module._load (module.js:314:12), at Function.Module.runMain (module.js:447:10), at startup (node.js:146:18), at node.js:404:3]
lusca npm的server.js代码如下
app.use(lusca({
csrf: false,
csp: { /* ... */},
xframe: 'SAMEORIGIN',
p3p: 'ABCDEF',
hsts: {maxAge: 31536000, includeSubDomains: true, preload: true},
xssProtection: true
}));
问题是csp为空。将csp的某些值设置为以下
app.use(卢卡({csrf:错误,csp:{policy:{'default src':'\'self\'','img src':'*'}},
或者仅仅是针对所有来源的策略:csp:{policy:{'default-src':'*'}},
有关详细示例,请访问:https://github.com/krakenjs/lusca.
即使没有旧版本lusca(1.3)的csp策略,它也对我有效。可能会有所改变。