Browser policy still up to date?

jkuester · September 1, 2020, 2:30pm

Hey I am working on a new project with a different CSP. We basically want to prevent the page from being framed but want to display PDFs loaded from the same origin on the page (which are basically framed) and any external content in an iframe on our page.

However, BrowserPolicy.framing.restrictToOrigin() uses the ALLOW option, which seems to be not really supported and we found no option to set the x-frame-options to SAMEORIGIN.

Edit: Does this imply, that the browser policy package needs to be updated?

The documentation on this is also not very enlightening.

We tried to solve it via

import { BrowserPolicy } from 'meteor/browser-policy'

const host = Meteor.absoluteUrl()

// never render inside iframe
BrowserPolicy.framing.disallow()

// except when on own domain
BrowserPolicy.framing.restrictToOrigin(host)

// and any external content
BrowserPolicy.content.allowFrameOrigin('*')

This all “works” (framing by others blocked, display same-orign content in frame, display external content in frame) but I still get the warning

Invalid X-Frame-Options header was found when loading “http://localhost:3000/path/to.pdf”: “ALLOW-FROM http://localhost:3000/” is not a valid directive.

I am no CSP expert yet, maybe someone can help our here?

storyteller · September 1, 2020, 2:35pm

The Meteor browser policy is no longer up to date. We need to move forward and deprecate the package more visibly or update it.
Here is the relevant Guide page:

Personally I manage this manually via WebApp.rawConnectHandlers.use() so that I have one less dependency to worry about.

jkuester · September 1, 2020, 2:40pm

Woa! Did not realized this section has been updated. Thanks a lot. Regarding deprecation - I was thinking already about a deprecated flag in the packages that raises a warning when starting the server in dev mode.

storyteller · September 1, 2020, 5:24pm

Agreed! I was also thinking we should add some flag to package.js and/or package.json that could be picked-up by Atmosphere so that it can flag the packages there as well.

paulishca · November 27, 2023, 12:39pm

@fredmaiaarantes Atmosphere is a bit buggy. Also how about those deprecation flags?

Screenshot 2023-11-27 at 4.36.46 PM

harry97 · November 28, 2023, 10:55am

Told you mate. Time to deprecate it. BRING OUT THE PITCH FORKS!!