search

johnpapa / lite-server

Lightweight node server
MIT License
2.32k stars 269 forks source link

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'" #166

Closed SkrupSulten closed 4 years ago

SkrupSulten commented 4 years ago

Before you open an issue, please check if a similar issue already exists or has been closed before.

A descriptive title

The behavior you expect to see, and the actual behavior...

For feature requests, a description of the problem you're trying to solve, including why you think this is a problem.

Bug repro steps

Please give us an isolated way to reproduce the behavior (example: GitHub repository with code that anyone can clone to observe the problem, or a Dockerfile that replicates your environment):

1. I'm running "ng build --watch" on an Angular 8.1 application

2. Then i run lite-server using lite-server -c lite-server-config.json

Config:
{
    "port": 5001,
     "files": ["/dist/browser/**/*.{html,htm,css,js,js.map}"],
    "server": { "baseDir": "/dist/browser" }
}

Cmd output:

C:\...>npx lite-server -c lite-server-config.json
** browser-sync config **
{
  injectChanges: false,
  files: [ '/dist/browser/**/*.{html,htm,css,js,js.map}' ],
  watchOptions: { ignored: 'node_modules' },
  server: { baseDir: '/dist/browser', middleware: [ [Function], [Function] ] },
  port: 5001
}
[Browsersync] Access URLs:
 -------------------------------------
       Local: http://localhost:5001
    External: http://x.x.x.x:5001
 -------------------------------------
          UI: http://localhost:3001
 UI External: http://localhost:3001
 -------------------------------------
[Browsersync] Serving files from: /dist/browser
[Browsersync] Watching files...
19.10.23 08:23:48 404 GET /index.html

3. In my Chrome console I get the following errors:

- Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ThhI8UaSFEbbl6cISiZpnJ4Z44uNSq2tPKgyRTD3LyU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

- Failed to load resource: the server responded with a status of 404 (Not Found)

The Chrome elements tab:

<html lang="en"><head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body><script id="__bs_script__">//<![CDATA[
    document.write("<script async src='/browser-sync/browser-sync-client.js?v=2.26.7'><\/script>".replace("HOST", location.hostname));
//]]></script>

<pre>Cannot GET /</pre>

</body></html>

Environment

SkrupSulten commented 4 years ago

It turned out the baseDir was wrong