Browser Policy: child-src


Does anyone know how to use BrowserPolicy to set the child-src or worker-src?

Basically i need to set child-src for react-ace. The problem I am having is here, and someone else worked out the solution here.

In essence, this is the error I am getting:

Refused to create a worker from 'blob:http://localhost:3000/7a959d84-1977-477f-8436-279a36f15694' because it violates the following Content Security Policy directive: "default-src 'self' data:". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.

Thanks so much.


Having a look at this, it says:

var resources = [
  { methodResource: "Script", directive: "script-src" },
  { methodResource: "Object", directive: "object-src" },
  { methodResource: "Image", directive: "img-src" },
  { methodResource: "Media", directive: "media-src" },
  { methodResource: "Font", directive: "font-src" },
  { methodResource: "Connect", directive: "connect-src" },
  { methodResource: "Style", directive: "style-src" },
  { methodResource: "Frame", directive: "frame-src" },
  { methodResource: "FrameAncestors", directive: "frame-ancestors" }

Am I out of luck? How come there is no ‘child-src’ or ‘worker-src’ here? Thanks so much.


That chunk of code you quoted is a PR that I submitted months ago.

I ran into a similar problem, where I needed to add policies for frame-ancestors, but that particular policy wasn’t supported. The PR that I submitted added it.

It is rather straight forward to add any policy you need, though. You will have to git clone the browser-policy-content package into your packages directory. Then, you would add to objects to the recourses array:

{ methodResource: “ChildSource”, directive: “child-src” },
{ methodResource: “WorkerSource”, directive: “worker-src” },

You would then be able to add policies like:


I would do that, and submit a PR.

can i ask a stupid question. How do i clone only one package? the only option is to git clone meteor/meteor right, cause the package is an underlying part of this? Also, there are multiple branches, a released and a development branch right.

I’ve never done this before (contributed to a public anything). Super excited. Can you give me step by step instructions - super noob variant? Presumably i don’t have to write any tests for this?

I get this is what i need to do:
(1) git clone the package. But how do i test if the changes i have made are any good [like generally, obviously the two lines in this case are pretty simple].
(2) Add the two lines into packages/browser-policy-content/browser-policy-content.js. What comment should i make when i push the pull request.
(3) Generally, i make a new branch of my own project. Then when complete, I go git push origin <branchname>, but how do i have access to this? Like, if i downloaded the entire meteor repo and made the change and pushed it up - i don’t get how this works.

Is there a how to contribute document somewhere - super noob level?

Thanks so much.


Could you please provide me a link to your PR, so i can look at it and copy please? I have learned that copying other people’s good work is a good way to learn. It would be very much appreciated.

I can completely relate! That PR I referred to was the first one I ever did! I can promise you that while it might seem difficult right now, it really isn’t once you get going; the hardest part is just getting started. I felt the exact same way you do right now.

Some things to help you get started… bear with me, I am doing this from memory.

First, let’s solve your problem right away to unblock you. Clone the entire meteor project with git clone Copy packages/browser-policy-content into your own project’s packages folder, and make the necessary changes. Your meteor project will pick them up and you will have those new policies good to go!

Now, to actually submit your PR!

What you actually want to do is fork the project on github. Once you have a fork of meteor in your github account, you want to clone that repository to your development machine. Make all of your changes on the devel branch of your fork. You can push to github as usual this way.

When you want to submit the PR to the meteor project, go to your fork’s project page on github and click the “New Pull Request” button. Base fork is “meteor/meteor”, head fork is your “username/meteor”; devel branch for both. This sounds confusing, but hopefully makes sense once you see the screen. Type in your PR comments and submit! That is pretty much it!

When you make your changes, be sure to include tests, comments, and documentation, too. You can look at the small PR I did if you just need some inspiration or direction on what changes need to be done. The work would be very similar, I think.

I would definitely look at the contribution guide because I am certain there are things I forgot about.