Content Security Policy


#1

In a js script I use a ddp client to connect to my meteor app. And suddenly I got this error

Refused to connect 'wss://app.backtocart.co/websocket' because it violates the following 
Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval' ". 
Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback

What is this? I meet this first time. How can I fix it?


#2

Anything to do with this?


#3

@robfallows thanks for the reply.
I tried prepending the meta tag different ways but it seems to not change anything.
Also reading about csp I got it has something to do with http headers, but I am not sure it’s about headers in my app or the backend of the client?
Do you have any idea?


#4

No - I don’t do any mobile development. I just used my trusty friend, Google. :slight_smile:


#5

@robfallows oh… I am googling for a few days now :frowning:
By the way I do not do any mobile development as well. I just use a ddp client in script to connect to my app from any client.


#6

Ah. Sorry - I misunderstood. What DDP client?


#7

This one currently https://github.com/seeekr/ddp-client
Do you think it has something to do with the ddp client?
I plan to use meteor client bundler by urigo as the new version is out.