Content Security Policy

hayk · March 19, 2018, 1:58pm

In a js script I use a ddp client to connect to my meteor app. And suddenly I got this error

Refused to connect 'wss://app.backtocart.co/websocket' because it violates the following 
Content Security Policy directive: "default-src https: data: 'unsafe-inline' 'unsafe-eval' ". 
Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback

What is this? I meet this first time. How can I fix it?

robfallows · March 19, 2018, 2:22pm

Anything to do with this?

hayk · March 22, 2018, 2:06pm

@robfallows thanks for the reply.
I tried prepending the meta tag different ways but it seems to not change anything.
Also reading about csp I got it has something to do with http headers, but I am not sure it’s about headers in my app or the backend of the client?
Do you have any idea?

robfallows · March 22, 2018, 2:11pm

No - I don’t do any mobile development. I just used my trusty friend, Google.

hayk · March 22, 2018, 2:18pm

@robfallows oh… I am googling for a few days now
By the way I do not do any mobile development as well. I just use a ddp client in script to connect to my app from any client.

robfallows · March 22, 2018, 2:19pm

Ah. Sorry - I misunderstood. What DDP client?

hayk · March 22, 2018, 2:22pm

This one currently https://github.com/seeekr/ddp-client
Do you think it has something to do with the ddp client?
I plan to use meteor client bundler by urigo as the new version is out.

thebarty · July 21, 2019, 11:11am

Just ran into a similar issue. Pretty basic app-setup as I am just starting out.

I can NOT load anything from a different url. No fonts, no scripts… here is a screenshot from the console.

I have tried this meta-tag with NO success:

<meta http-equiv="Content-Security-Policy" content="default-src *  data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';">

Any ideas what to do?

rjdavid · July 21, 2019, 11:43am

Use the browser-policy pacakage

thebarty · July 23, 2019, 6:26am

Yeah that’s the one. THANKS FOR THE HINT!!

For now I am going “all in” by adding

import { BrowserPolicy } from 'meteor/browser-policy'
BrowserPolicy.framing.allowAll()
BrowserPolicy.content.allowSameOriginForAll('*')
BrowserPolicy.content.allowDataUrlForAll('*')
BrowserPolicy.content.allowOriginForAll('*')

storyteller · July 26, 2019, 1:50am

Kind of defeats the purpose of Browser Policy, doesn’t it?