Challenge with Express Helmet: CSS fails to load properly on iOS Safari browser

After successfully adding Helmet to my Node/Express/EJS project and configuring my CSP to allow inline scripts, styles, and certain external sources on my Windows laptop in Opera, Chrome & Edge, I encountered a problem when connecting via iOS Safari on mobile. Despite Bootstrap loading correctly, it seems none of my custom stylesheets or scripts are being applied.

Here is the code snippet I am currently using:

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "*.googleapis.com", "*.jsdelivr.net", "*.jquery.com"],
        styleSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "*.googleapis.com", "*.jsdelivr.net", "*.jquery.com"],
        baseUri: ["'self'"],
        fontSrc: ["'self'", "https://fonts.gstatic.com"]
      }
    }
  })
)

Additionally, I observed that whenever I click a link on my site using iOS Safari, it automatically switches to HTTPS even though I'm running on an HTTP localhost server. This behavior may be causing my stylesheet links to be requested over HTTPS rather than HTTP, which could explain why they are not loading properly.

<link rel="stylesheet" href="/style.css" />

Could Safari possibly be trying to access 

https://(laptop-private-ip):3000/style.css
instead of 
http://(laptop-private-ip):3000/style.css
, resulting in the stylesheet not being retrieved? It's puzzling why Bootstrap loads fine while my own styles don't.

If anyone has any insights or suggestions on how to troubleshoot this issue, I would greatly appreciate the help. Thanks in advance!

cssnode.jsexpresshelmet.js

Answer №1

The problem has been resolved. While I cannot be completely certain due to the possible interference of cache, I suspect it may have been caused by either of the following factors.

  • Upgrade-Insecure-Requests
  • HSTS

Answer №2

Take a look at the conversation on https://github.com/helmetjs/helmet/issues/429. To prevent issues in Safari, consider configuring CSP with upgradeInsecureRequests: null during development or ensuring you have an SSL certificate before testing. It may also be necessary to clear the cache if problems persist.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Enhance your user experience by implementing a jQuery solution that makes a div

Looking to add a small div on the right side of your screen that moves along with your vertical window slider? Wondering if jQuery has a function to get the current vertical slider position? I thought scrollTop() might work, but it only returns from a spe ...

jqueryhtmlcssjquery-ui

Using Mongoose to Find Subdocument by Property Value

I am currently working on finding a way to retrieve an array of unpaid orders. Each order subdocument contains a property called isPaid that indicates whether the order has been paid or not. My goal is to only display orders that have not yet been paid in ...

node.jsmongodbexpressmongoose

Unable to retrieve MongoDB attributes or methods

I'm attempting to access properties or functions within mongoose.connection in order to retrieve the DeleteMany and DropCollection methods, but I seem to be unable to do so. I am initiating the express.js server inside the mongoose connection. mongoos ...

mongodbexpressmongoose

There appears to be an empty void on the website

If you could kindly click on this link & use CTRL + F to search for the text "Info", you will see a visual representation similar to the image below. There seems to be quite a bit of empty space below these texts. I experimented with padding, display: ...

htmlcss

HTML5: Enhancing Video Playback on the iPad with Custom Zoom Controls

I've customized a smaller UIWebView specifically for the iPad, and I've created my own HTML5 controls for the video playback. However, when I try to maximize the video, all I see is a black screen instead of the actual content. The audio still pl ...

javascriptcssipadhtml

Applying CSS transformations to scale up a div within its parent body

Having an issue with formatting an anchor link using transform scale attributes on hover. The link is inside a div that's aligned to the right, and I want it to enlarge when hovered over. However, this increase in size also affects the parent div, ca ...

htmlcss

Is there cause for worry regarding the efficiency issues of utilizing Object.setPrototypeOf for subclassing Error?

My curiosity is piqued by the Object.setPrototypeOf(this, new.target.prototype) function and the cautionary note from MDN: Warning: Modifying an object's [[Prototype]] is currently a slow operation in all browsers due to how modern JavaScript engines ...

node.jstypescript

Accordion content in motion

After creating an accordion, I wanted to enhance the user experience by adding a transition effect whenever they click on the accordion header. Even though I included height: auto and transition in the accordion container, it did not seem to have any impa ...

javascripthtmlcss

Changing array indices in JavaScript by splicing elements

I'm experiencing a curious issue that seems to involve overwriting array indices after splicing, or at least that's what I suspect. This problem arises in a small game project built using phaser 2 - essentially, it's a multiplayer jumping ga ...

javascriptexpresssocket.ioaliasphaser-framework

In the process of attempting to upload a .tsv file through the front end interface, I am encountering a challenge as the file remains stored on my server. What is the

I've got a function set up on my Express server that sends a file dependent on D3.JS. app.get('/dashboard', function(req, res) { var timestamp = utility.timestamp(); console.log('[' + timestamp + '] Request made to rend ...

javascriptnode.jsexpressd3.js

What could be the reason for my regex succeeding on the client side but failing on the server side

I have implemented a regex pattern to validate usernames, ensuring they only contain English letters, numbers, and underscores. The client-side code works perfectly, preventing any input other than these characters: <input type="text" name ...

javascriptnode.jsregex

Struggling to locate a suitable mock server that can deliver JSON responses for a specific URL that has been predetermined

I have encountered a challenge in my frontend app development using vue.js. I need to find a mock backend server (without mocking it on the front end). My app is capable of making HTTP requests, specifically GET and PATCH are the methods of interest. I am ...

node.jsjsonexpressmockingjson-api

Declarations and expressions in Node.js using JavaScript

Recently diving into Node Js, I stumbled upon the following code snippet in a tutorial const readline = require("readline"); const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); const questions = [ " ...

javascriptnode.js

How can I retrieve Google contacts without needing an access token?

UPDATED I found my solution with the assistance of an access token :) I will now share how I achieved it. Currently, I am utilizing the Google contacts API to access the contacts of the user. To log in with Google and utilize the API, I am using passpo ...

node.jspassport.jsgoogle-contacts-api

Potential memory leak detected in EventEmitter by Discord.js

One night while my bot was running on auto-pilot as I drifted off to sleep, a warning popped up out of the blue: MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 guildMembersChunk listeners added to [Client]. Use emitter.setMaxLi ...

javascriptnode.jsdiscorddiscord.jsnode-modules

What's the best way to execute multiple actions within a single gulp task?

Is there a way to execute multiple actions within one gulp task? I have tried using event-stream's merge feature following the example in How to perform multiple gulp commands in one task, but it doesn't work properly when combined with the del p ...

javascriptnode.jsnpmgulp

Eliminate the port from the URL using Node.js

I am currently running two Node.js apps on my server, both listening to port 55555. Below is the directory structure of the setup: /home/myuser /.htaccess /package.json /server.js /foo.com /node_modules /public /index.html /packa ...

node.jsapache.htaccessvhostsexpress-vhost

Storing deeply nested arrays of objects with Mongoose leads to MongoDB storing empty objects

Here's the issue I'm facing: I am trying to save nested objects with mongoose in mongodb, but when I save them, the nested objects end up empty. I have attempted various solutions found online, such as pushing objects and populating, but none o ...

javascriptnode.jsmongodbexpressmongoose

Unable to generate a React Native application

Here are the instructions to develop a react native app: npm install -g create-react-native-app create-react-native-app my-app cd my-app I successfully completed the first step, but I've been encountering challenges with the second step since yeste ...

node.jsreactjsreact-nativenpmsudo

Is there a way to link a particular model table with a designated user table?

Hey everyone, I'm new to stack overflow and this is my first question. I hope it's clear enough for you all to understand. I'm currently working on a budget API using Node.js, Sequelize, Express, and PostgreSQL. The API allows users to add/ ...

javascriptnode.jsdatabasepostgresqlexpress