I am serving a HTML page in my node.js server with express.public() function.
and i added this into my html page:
<script src="https://cdn.jsdelivr.net/npm/vue@2/dist/vue.js"></script>
And Chrome gaves me a Content-Security-Policy to me.
I used this middlewares in my Node index.js
app.use(morgan('tiny'));
app.use(helmet());
app.use(cors());
app.use(express.json());
app.use(express.static("./public"));
My application headers:
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
How can i add this script without any SecurityPolicy
SOLVED
I remove "Helmet" from my project. Helmet is blocking the all cdn and scripts other then absolute domain.