From Meteor AI:
The
meteor_runtime_configis a crucial part of Meteor’s initialization process. It’s dynamically generated and inserted into the HTML of your application. Here’s how it works:
Runtime Configuration Generation: Meteor generates the runtime configuration object, which includes various settings and information needed for the client-side application to run correctly.
Encoding and Insertion: The runtime configuration is then encoded and inserted as a
<script>tag in the HTML of your application. This process is handled automatically by Meteor’s build system.
At least on my site, the runtime config that is inserted into the <script> tag on my home page, includes data about Kadira which isn’t even part of Galaxy any more.
kadira: {
"appId": "kuY8Wjg9m2XWDLQrf",
"endpoint": "https://engine-us.montiapm.com",
"clientEngineSyncDelay": 10000,
"recordIPAddress": "full",
"disableClientErrorTracking": false,
"enableErrorTracking": true
}
This can break content-security-policy, because the hash for meteor_runtime_config generated on the web server does not by default include the Kadira info. Then the hashes don’t match and your csp policy rejects the entire Meteor app. 