Just coming back to Node-RED after a long absence, and I find that either my Node-RED server (v0.20.5) no longer sets the correct Content Security Policy header, my browser no longer recognises it (Firefox 68.11.0esr), or something else related to CSP is borked; my dashboard won't load (I just get a blank page) and the browser console reports Content Security Policy: The page’s settings blocked the loading of a resource at https://192.168.11.12:1880/ui/js/app.min.js (“script-src”). I've tried npm update etc, but no change. Tired and confused after returning home from four months of Covid-19 induced exile, what am I missing?
Do you normally use https access rather than http even on the local network?
Yes. IIRC HSTS is enabled. The admin interface works fine.
>bump<
Anyone?
I have upgraded my node-red box from Jessie to Buster (via Stretch), node.js to 12.18.3, node-red to 1.1.3 and node-red-dashboard to 2.23.2. The problem remains the same. Extensive searching on the interwebs has come up with nothing.
The issue appears to be related to NoScript:
Curisouly, NoScript still intercepts the CSP reports even after uninstalling NoScript completely and restarting Firefox:
POST noscript-csp.invalid /__NoScript_Probe__/ csp 0 B 0 B 1 ms
POST noscript-csp.invalid /__NoScript_Probe__/ csp 0 B 0 B 1 ms
POST noscript-csp.invalid /__NoScript_Probe__/ csp 0 B 0 B 1 ms
I don't think this is the issue though; the CSP reports are generated because loading of the node-red-dashboard scripts fails the CSP check - the fact that NoScript intercepts the reports has nothing to do with the scripts failing the check; it happens because the report URL is invalid (or in this case null). So I'm still nowhere closer to being able to access the node-red-dashboard which worked perfectly six months ago.
LOL. Fixed! By clearing cookies & data for 192.168.13.100 and logging back in. Go figure.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
