I tried adding (with meteor add
) and importing:
import { BrowserPolicy } from 'meteor/browser-policy-common';
BrowserPolicy.content.disallowEval();
and
import { BrowserPolicy } from 'meteor/browser-policy';
BrowserPolicy.content.disallowEval();
But I keep having Cannot read property 'content' of undefined
(BrowserPolicy is undefined)
Using Meteor 1.7
Any idea?
It might be linked to this issue . Try using the global.
The first approach should have worked.
There is a PR request to the Guide to promote Helmet and deprecate the old browser policy. So I would recommend taking a look into that.
Honestly you don’t even need the package and can use the WebApp to set browser policy. Like this (with a basic example of some of the policies implemented):
import { WebApp } from 'meteor/webapp';
Meteor.startup(() => {
WebApp.rawConnectHandlers.use((req, res, next) => {
// Cache control
res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0');
res.setHeader('Pragma', 'no-cache');
res.setHeader('Strict-Transport-Security', 'max-age=86400; includeSubDomains');
// Prevent Adobe stuff loading content on our site
res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
// Frameguard - https://helmetjs.github.io/docs/frameguard/
res.setHeader('X-Frame-Options', 'DENY');
// X-XSS protection
res.setHeader('X-XSS-Protection', '1; mode=block');
// No content sniffing
res.setHeader('X-Content-Type-Options', 'nosniff');
// DNS pre-fetching
res.setHeader('X-DNS-Prefetch-Control', 'off');
// Expect CT
res.setHeader('Expect-CT', 'enforce, max-age=604800');
// Links referrer policy
res.setHeader('Referrer-Header', 'same-origin');
// Prevent IE from executing downloads in page content
res.setHeader('X-Download-Options', 'noopen');
// Content security policy
const csp = [
'default-src',
"'self'",
'data:',
';',
'connect-src',
`http${s}://${domain}`,
`ws${s}://${domain}`,
`blob:`,
...
];
res.setHeader('Content-Security-Policy', csp.join(' '));
return next();
});
});
3 Likes
ivan133
September 21, 2019, 6:22pm
4
zylootino:
{ BrowserPolicy }
You need to import in on the server, not on the client!
https://atmospherejs.com/meteor/browser-policy
Meteor determines the browser policy when the server starts up, so you should call BrowserPolicy
functions on the server in top-level application code or in Meteor.startup
. BrowserPolicy
functions cannot be used in client code.