avatar

ShīnChvën ✨

Effective Accelerationism

HomeTagsPrompts & GPTsChannelDonate Me
Powered by Druid
avatar

ShinChven's Blog

avatar

ShīnChvën ✨

Effective Accelerationism

HomeTagsPrompts & GPTsChannelDonate Me
Powered by Druid

解决 Node 应用接入企业微信登录不显示二维码的问题

Node.jsFeathersJShelmet.jsContent-Security-Policysecuritycors企业微信
Fri Dec 30 2022

我在使用 Ant Design Pro 和 FeathersJS 开发一个支持企业微信二维码登录的应用。这个功能之前很顺利地完成过,而这次总是无法加载出二维码。

经过排查是 FeathersJS 使用的 helmet 库升级了安全策略,默认禁用了站外资源。

要顺利加载企业微信的二维码,需要调整降低安全策略。

app.use(helmet({
  contentSecurityPolicy: false,
+  crossOriginEmbedderPolicy: false, // 允许 iframe
+  crossOriginResourcePolicy: false, // 允许 站外资源
}))

References

Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).

Cross-Origin-Embedder-Policy

The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

Cross-Origin-Resource-Policy

The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.