For the development of new web page functions #327
Description
When using the open-source WBO project and deploying your personal programs on it, you may find that inline JS, CSS, and other functions trigger Content Security Policy (CSP) errors. In server.js, you will find the following strict CSP configuration:
var CSP = "default-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:";
The restrictions of this configuration are as follows:
default-src 'self': Only allows resources to be loaded from the same origin.
style-src 'self' 'unsafe-inline': Allows inline styles and stylesheets from the same origin.
connect-src 'self' ws: wss: : Only allows connections to the same origin and WebSocket.
To enable cross-origin requests, modify the code as follows:
javascript
var CSP = "default-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; connect-src * ws: wss:";
var fileserver = serveStatic(config.WEBROOT, {
maxAge: 2 * 3600 * 1000,
setHeaders: function (res) {
res.setHeader("X-UA-Compatible", "IE=Edge");
res.setHeader("Content-Security-Policy", CSP);
// Allow cross-origin access
res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS, PUT, DELETE");
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
res.setHeader("Access-Control-Allow-Credentials", "true");
},
});