Browser policy still up to date?

Hey I am working on a new project with a different CSP. We basically want to prevent the page from being framed but want to display PDFs loaded from the same origin on the page (which are basically framed) and any external content in an iframe on our page.

However, BrowserPolicy.framing.restrictToOrigin() uses the ALLOW option, which seems to be not really supported and we found no option to set the x-frame-options to SAMEORIGIN.

Edit: Does this imply, that the browser policy package needs to be updated?

The documentation on this is also not very enlightening.

We tried to solve it via

import { BrowserPolicy } from 'meteor/browser-policy'

const host = Meteor.absoluteUrl()

// never render inside iframe

// except when on own domain

// and any external content

This all “works” (framing by others blocked, display same-orign content in frame, display external content in frame) but I still get the warning

Invalid X-Frame-Options header was found when loading “http://localhost:3000/path/to.pdf”: “ALLOW-FROM http://localhost:3000/” is not a valid directive.

I am no CSP expert yet, maybe someone can help our here?

1 Like

The Meteor browser policy is no longer up to date. We need to move forward and deprecate the package more visibly or update it.
Here is the relevant Guide page:

Personally I manage this manually via WebApp.rawConnectHandlers.use() so that I have one less dependency to worry about.

Woa! Did not realized this section has been updated. Thanks a lot. Regarding deprecation - I was thinking already about a deprecated flag in the packages that raises a warning when starting the server in dev mode.

1 Like

Agreed! I was also thinking we should add some flag to package.js and/or package.json that could be picked-up by Atmosphere so that it can flag the packages there as well.