Challenge with Express Helmet: CSS fails to load properly on iOS Safari browser

After successfully adding Helmet to my Node/Express/EJS project and configuring my CSP to allow inline scripts, styles, and certain external sources on my Windows laptop in Opera, Chrome & Edge, I encountered a problem when connecting via iOS Safari on mobile. Despite Bootstrap loading correctly, it seems none of my custom stylesheets or scripts are being applied.

Here is the code snippet I am currently using:

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "*.googleapis.com", "*.jsdelivr.net", "*.jquery.com"],
        styleSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "*.googleapis.com", "*.jsdelivr.net", "*.jquery.com"],
        baseUri: ["'self'"],
        fontSrc: ["'self'", "https://fonts.gstatic.com"]
      }
    }
  })
)

Additionally, I observed that whenever I click a link on my site using iOS Safari, it automatically switches to HTTPS even though I'm running on an HTTP localhost server. This behavior may be causing my stylesheet links to be requested over HTTPS rather than HTTP, which could explain why they are not loading properly.

<link rel="stylesheet" href="/style.css" />

Could Safari possibly be trying to access 

https://(laptop-private-ip):3000/style.css
instead of 
http://(laptop-private-ip):3000/style.css
, resulting in the stylesheet not being retrieved? It's puzzling why Bootstrap loads fine while my own styles don't.

If anyone has any insights or suggestions on how to troubleshoot this issue, I would greatly appreciate the help. Thanks in advance!

cssnode.jsexpresshelmet.js

Answer №1

The problem has been resolved. While I cannot be completely certain due to the possible interference of cache, I suspect it may have been caused by either of the following factors.

  • Upgrade-Insecure-Requests
  • HSTS

Answer №2

Take a look at the conversation on https://github.com/helmetjs/helmet/issues/429. To prevent issues in Safari, consider configuring CSP with upgradeInsecureRequests: null during development or ensuring you have an SSL certificate before testing. It may also be necessary to clear the cache if problems persist.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Eliminate the display of Last Modified date and file Size in mod_autoindex

Recently, while developing a file storage webpage for my website, I successfully implemented mod_autoindex for my Apache server. However, I now face the challenge of removing the Last Modified and Size fields from the table. I am hopeful that there is a w ...

htmlcssapachemod-autoindex

Using jQuery Accordion within the MVC Framework

I'm new to MVC and considering using an accordion. However, I'm facing issues as the accordion does not appear despite adding all necessary references for jquery accordion and creating the div. Here is my code: @{ ViewBag.Title = "Online Co ...

javascriptjqueryhtmlcssasp.net-mvc

Is the order of query execution being altered when using the MongoClient in Node.js?

I am currently developing a registration API endpoint that utilizes MongoDB to validate two specific conditions: If the username provided already exists in the database, it will return a status of 500 If the email address provided already exists in the da ...

javascriptnode.jsmongodbexpressmongodb-query

What sets apart v1, v2, and v3 on the https://www.googleapis.com/oauth2/v3/certs API?

Currently, I am in the process of authenticating a user on an Android app through Google Sign-in to retrieve the account name. Once I have obtained the token using GoogleAuthUtil.getToken(getApplicationContext(), app, scopes), my next step is to send this ...

androidnode.jsgoogle-oauthgoogle-signin

Options in Joomla Back-end Plugin

Just started diving into Joomla programming and I managed to create a plugin that functions perfectly. However, there's one small issue that's been bothering me all day. The configuration options in the back-end are shifted by a 180px left margin ...

htmlcssjoomla

As I resize my browser window, I notice that my menu button starts to shift upwards along the

I recently created a menu button that looks great, but I noticed that when I shrink the browser window, it starts to move slightly upwards. It's really annoying and I can't figure out why this is happening. Can someone please help me troubleshoot ...

htmlcss

Perform a native Fetch request using Proxy in NodeJS version 18

With the release of Node JS version 18, Fetch requests can now be made without the need to install additional packages like Axios. I am curious to know if it is possible to make a request using Native Fetch with Proxy without the need for any external pac ...

javascriptnode.jsfetch

Encountering an issue while attempting to access a specific endpoint in my node.js and express application

I recently created an API Rest to allow users to register, but I'm facing an issue where I cannot access the endpoint http://localhost:5000/api/user/register/. The error message "Cannot GET /api/user/register/" keeps popping up. Here is a snippet from ...

node.jsexpress

The Bootstrap table spills over the edges of the container

I'm currently working on a project where I need to create a table with a grey background, but I am facing an issue where the lines from my table are extending past the div container. I even tried placing it inside a form, but that did not resolve the ...

phphtmlcsstwitter-bootstrap

Adjust the size of images using jQuery to perfectly fit the container dimensions

I am currently working on a script to automatically resize images that are too large for the container: $('img').each(function(i){ var parent_width = parseInt($(this).parent().width()), image_width = parseInt($(this).width()); ...

javascriptjquerycssimage

Using a backslash in JSON within the request body in ExpressJS with the body-parser module

Everything seems to be working fine until a backslash character in JSON is received from the client by the Express server with body-parser. The request body appears like this (We entered this into Postman (raw value) and Swagger-UI exactly as shown: { ...

node.jsjsonexpressbody-parser

The select option fails to automatically assign the selected value from a given response

I am currently working on a project that involves populating two select dropdowns with values from a server. While I am able to successfully retrieve and populate the options of the first select dropdown, I am encountering an issue with setting one of the ...

node.jsajaxexpress

Local variables in Node modules do not retain their values between different calls or invocations

I'm facing a puzzling issue. I would expect that the local variables in a node module should persist within the module, but it seems like they are not. Here is my node module: var Mailgun = require("mailgun-js"); var api_key, domain; exports.config ...

node.jsmodule

Working with promises and Async/Await in Express/node can sometimes feel ineffective

Currently, I am delving into the world of node and express with the aim to create a function that can extract data from a CSV file uploaded by the user. My challenge lies in the fact that the data is being outputted as an empty array before it goes through ...

javascriptnode.jsexpressasynchronouspromise

Tips for effectively transmitting JSON data through SuperAgent within the React framework

Currently, I am transmitting the state of my react app to a server that is not located on the same server as the frontend. request.post('http://localhost:8000/guide') .send(JSON.stringify(this.state)) .end((err, resp) =&g ...

jsonnode.jsreactjssuperagent

Is there a way to pass a JavaScript Buffer (such as an unsigned char *) from C++ to Node.js using an addon?

Whenever I transition from a C++ Addon to NodeJS void MyFunction(const FunctionCallbackInfo<Value>& args) { Isolate *isolate = args.GetIsolate(); unsigned char *buffer = "something"; unsigned int len = 9; args.GetReturnValue ...

c++node.jsnode.js-addon

Is it feasible to generate a realistic arrow using CSS and then rotate it?

Can a fully functional arrow be created using CSS alone? Here is the method I used to create just the arrowhead: http://jsfiddle.net/2fsoz6ye/ #demo:after { content: ' '; height: 0; position: absolute; width: 0; border: 10p ...

css

Develop a Mongoose Schema Model in Node.js to streamline the coding process

After reviewing the previous examples, I couldn't find any inspiration. The principle of programming is to avoid repetition, and I aim to create a model. However, I am struggling to understand how to do so and would appreciate guidance on how to apply ...

node.jsmongodbexpressmongooseschema

What is the reason for the updated version of mocha not displaying test details when executing npm test command?

My project specifies the following devDependencies: "mocha": "^3.4.2", "mocha-sinon": "^2.0.0", "sinon": "^2.3.7", Running tests with these dependencies only provides minimal output: $ npm test Basic test example. simple test examples However, w ...

node.jsnpmmocha.js

How to center text both horizontally and vertically in HTML

I am struggling with centering a background image along with a 1-line text vertically and horizontally inside a div. Although I have successfully centered the image, the text remains misaligned. I attempted using vertical-align: middle without success. Be ...

csshtml