Content Security Policy fails

Just coming back to Node-RED after a long absence, and I find that either my Node-RED server (v0.20.5) no longer sets the correct Content Security Policy header, my browser no longer recognises it (Firefox 68.11.0esr), or something else related to CSP is borked; my dashboard won't load (I just get a blank page) and the browser console reports Content Security Policy: The page’s settings blocked the loading of a resource at (“script-src”). I've tried npm update etc, but no change. Tired and confused after returning home from four months of Covid-19 induced exile, what am I missing?

Do you normally use https access rather than http even on the local network?

Yes. IIRC HSTS is enabled. The admin interface works fine.



I have upgraded my node-red box from Jessie to Buster (via Stretch), node.js to 12.18.3, node-red to 1.1.3 and node-red-dashboard to 2.23.2. The problem remains the same. Extensive searching on the interwebs has come up with nothing.

The issue appears to be related to NoScript:

Curisouly, NoScript still intercepts the CSP reports even after uninstalling NoScript completely and restarting Firefox:

  POST  noscript-csp.invalid  /__NoScript_Probe__/  csp   0 B 0 B  1 ms
  POST  noscript-csp.invalid  /__NoScript_Probe__/  csp   0 B 0 B  1 ms
  POST  noscript-csp.invalid  /__NoScript_Probe__/  csp   0 B 0 B  1 ms

I don't think this is the issue though; the CSP reports are generated because loading of the node-red-dashboard scripts fails the CSP check - the fact that NoScript intercepts the reports has nothing to do with the scripts failing the check; it happens because the report URL is invalid (or in this case null). So I'm still nowhere closer to being able to access the node-red-dashboard which worked perfectly six months ago.

LOL. Fixed! By clearing cookies & data for and logging back in. Go figure.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.