A space to discuss GraphQL queries, mutations, troubleshooting, throttling, and best practices.
Hi All,
I want to add the freshdesk chatbot into the app, i am facing error with CSP violation.
Error :
Refused to load the script 'https://ind-widget.freshworks.com/widgets/XXX.js' because it violates the following Content Security Policy directive: "default-src 'self' https://*.googleapis.com https://*.myshopify.com https://*.shopify.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://yourdomainname.com https://*.googleapis.com https://*.gstatic.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
```
setHeader and append header create multiple entry. in header response.
```
app stack node js express and react.
how to add the any third part code into the app.
hello there
The error message you're seeing indicates that the script you're trying to load violates the Content Security Policy (CSP) of your app. CSP is a security feature in web browsers that helps prevent cross-site scripting (XSS) attacks.
To resolve this issue, you'll need to update your app's CSP to allow the script to be loaded. Here's how you can do it:
Identify the CSP directives that are causing the error. In this case, the error message indicates that the default-src
directive is being used, and that the script being loaded violates it.
Add the necessary domains to the default-src
directive to allow the script to be loaded. Based on the error message, you'll need to add https://ind-widget.freshworks.com
to the default-src
directive.
Update your app's CSP using the helmet
middleware in your Node.js/Express app. The helmet
middleware provides a convenient way to set various security-related HTTP headers, including the CSP header.
Here's an example of how you can update your app's CSP using helmet
:
const express = require('express');
const helmet = require('helmet');
const app = express();
// Use the helmet middleware to set the CSP header
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: [
"'self'",
"https://*.googleapis.com",
"https://*.myshopify.com",
"https://*.shopify.com",
"https://*.googletagmanager.com",
"https://*.google-analytics.com",
"https://s.ytimg.com",
"https://www.youtube.com",
"https://yourdomainname.com",
"https://*.googleapis.com",
"https://*.gstatic.com",
"https://*.w.org",
"data:",
"'unsafe-inline'",
"'unsafe-eval'",
"https://ind-widget.freshworks.com"
]
}
})
);
// Your app routes and middleware go here
If this fixed your issue, likes and accepting as a solution are highly appreciated.
Build an online presence with our custom built Shopify Theme EcomifyTheme
@EcomGraduates i have using the node inbuilt function.
res.setHeader('Content-Security-Policy', ""