How to load facebook pixel without getting Content Security Policy error


#1

Trying to add a facebook pixel to a meteor app. Had hoped that this would be a momentary job. It has become a mini-profession. There must be an awfully large number of apps doing this same thing: would be good if this were addressed directly.

Am currently trying to use:

var trusted = [‘unpkg.com’,‘appful.co’,’.facebook.com’, '.facebook.net’, ‘.google-analytics.com’,’’,‘self’,‘unsafe-inline’];
(Note: star character was stripped out of the above. eg was star.facebook.com)

_.each(trusted, function(safeDomains) {
safeDomains = “https://” + safeDomains;
BrowserPolicy.content.allowOriginForAll(safeDomains);
BrowserPolicy.content.allowEval(safeDomains);
BrowserPolicy.content.allowInlineStyles(safeDomains);
BrowserPolicy.content.allowInlineScripts(safeDomains);
BrowserPolicy.content.allowStyleOrigin(safeDomains);
BrowserPolicy.content.allowOriginForAll(safeDomains);
BrowserPolicy.content.allowImageOrigin(safeDomains);
});

this runs fine on local build, but when running remotely, I get:

Refused to load the image ‘https://www.facebook.com/tr/?id=196548560909522&ev=PageView&dl=https%3A%2F%2Fcdcv.fwd.wf%2F&rl=&if=false&ts=1512667607560&v=2.8.1&ec=0&o=30&it=1512667607461’ because it violates the following Content Security Policy directive: “img-src data”.

Also, BrowserPolicy rather critically needs to have an ‘Off’ switch that opens up all security for all origins/all sources, etc. In our current example, we really don’t care about security in our current testing phase, but would really prefer not to be spending hours wrestling with this package that’s designed to make it ‘easy’.

Thanks for your help.