Refused to connect to "<web2 url>" because because it violates the document's Content Security Policy

I am experiencing this issue of Refused to connect to 'http://217.76.59.68:4000/parse_pdf' because it violates the document's Content Security Policy. when I try to call that API.

I’ve tried adding the URL to my .ic-assets.json5 file in my public directory. I have configured my CSP to allow connection only to these domains:

            "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src **http://217.76.59.68:4000/parse_pdf** 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",

I’ve also run the command to re-install the canister and update the headers

dfx canister install investafarm_marketplace --mode reinstall

After all these steps and deploying the canister to mainnet again, I am still getting the same error, what might be the issue :thinking:

@jennifertran @peterparker @cryptoschindler

Please don’t tag me directly unless I participated in the thread or it’s related to my work—DFX is definitely not one of those things.

Regarding your issue, I believe DFX populates the rules during deployment. Have you redeployed?

'm not exactly sure where .ic-assets.json is located in your case. In Oisy, we store it in the static folder of the frontend app, so it’s possible that the public directory is correct for you.

Lastly, are you certain your CSP is configured correctly? It looks like you’ve whitelisted http://217.76.59.68:4000 for img-src, but your issue seems to be with connect-src.

1 Like

Have you tried running:

dfx deploy investafarm_marketplace

instead?

The new assets of your website are uploaded to your Asset canister only with the deploy command. The install command only attempts to install the new Wasm in your canister, which likely will be the same in case of an asset canister unless you’ve not deployed it for months.