SSL error with Safari but not Chrome #429
Comments
|
That's surprising. I wouldn't expect Helmet to be the problem here, but it's possible. It looks like Safari is making requests to |
Yes, it looks like Chrome is doing the same. 
|
|
For some reason, it looks like Safari is incorrectly using HTTPS and Chrome is correctly using HTTP. That might explain those SSL errors in Safari. I don't know why Helmet would be causing that to happen, though. Can you create a sample app that reproduces this issue? |
|
Sure thing. Here's a watered down version of my project (same issue still happens): https://github.com/ezrichards/helmet-test-app |
|
Thanks for sending. I'll take a look.
|
|
Short answer: Safari is inconsistent with Chrome and Firefox when it comes to the Content Security Policy To get around your problem while testing, you can set the app.use(helmet.contentSecurityPolicy({
directives: {
// ...
// Disable Helmet's default. Don't forget to
// remove this when you're done testing!
upgradeInsecureRequests: null,
},
}));There are other ways to solve this problem, too, but that's a longer answer... Long answerAs best I can tell, this is an inconsistency (or bug) with Safari. To understand this, you need a little background. Background on upgrade-insecure-requestsContent Security Policy has a directive called For example, if you had the following HTML on your page: <img src="http://example.com/image.png" alt="test">The I didn't test this, but I assume it also happens if your page is loaded over insecure HTTP with relative URLs. For example, imagine the following HTML: <img src="/image.png" alt="test">If that HTML were at If you were already using HTTPS, nothing would be rewritten. The localhost wrinkleThere's one tricky piece here, which is what you're running into: I'm not certain, but there seems to be debate over whether To be extra-sure this wasn't a Helmet bug, I reproduced the problem in an app written in a different programming language. Personally, I consider this a bug in Safari, but I'm not familiar with the details of the spec. So how do you solve your problem today? SolutionsI can think of several ways around this problem.
There are some other options, like removing Helmet altogether or joining the Safari team just to fix this bug, but I suspect those are overkill. An aside about HelmetAs an aside, I saw this in your sample code: app.use(helmet());
app.use(helmet.contentSecurityPolicy({
// ...
}));This will work, but is incorrect. (A lot of people make this mistake, which means it's probably my fault for designing a confusing API.) The first call to If you're doing the same thing in your real app, I recommend doing something like this: app.use(helmet({
contentSecurityPolicy: {
directives: {
// ...
},
},
}));Again, what you have will work, but there's a slightly better way. I'm going to close this issue because I think I've determined this isn't an issue with Helmet, but I'll think about changing this in the future if other people report it. |
|
Thanks for this in-depth analysis, I really appreciate it! I actually had not tested on a domain other than localhost, so this is my bad. I assume, like you say, with a proper certificate and HTTPS connection to the domain, this goes away. Thank you again for offering solutions nonetheless. :) |
|
Ah yes. I forgot to mention that you could use HTTPS in development which would also address the issue. I've updated my comment. Please don't hesitate to reach out about anything else! |
Hi there, I'm writing a node.js site using the following helmet security policy:
This works flawlessly with Google Chrome, but when testing on Safari, I get the following error (no local stylesheets/assets working):
I have not setup any SSL certificates on the site and am simply working in a development environment. Further, if I just comment out all helmet code, Safari seems to recognize the local stylesheets correctly.
Is this something going on with Safari or have I configured helmet.js wrong?
The text was updated successfully, but these errors were encountered: