How to use BrowserPolicy?

zylootino · January 19, 2019, 2:35pm

I tried adding (with meteor add) and importing:

import { BrowserPolicy } from 'meteor/browser-policy-common';
BrowserPolicy.content.disallowEval();

and

import { BrowserPolicy } from 'meteor/browser-policy';
BrowserPolicy.content.disallowEval();

But I keep having Cannot read property 'content' of undefined (BrowserPolicy is undefined)

Using Meteor 1.7

Any idea?

illustreets · January 20, 2019, 12:39pm

It might be linked to this issue. Try using the global.

storyteller · January 20, 2019, 8:31pm

The first approach should have worked.

There is a PR request to the Guide to promote Helmet and deprecate the old browser policy. So I would recommend taking a look into that.

Honestly you don’t even need the package and can use the WebApp to set browser policy. Like this (with a basic example of some of the policies implemented):

import { WebApp } from 'meteor/webapp';

Meteor.startup(() => {
  WebApp.rawConnectHandlers.use((req, res, next) => {
    // Cache control
    res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0');
    res.setHeader('Pragma', 'no-cache');
    res.setHeader('Strict-Transport-Security', 'max-age=86400; includeSubDomains');
    // Prevent Adobe stuff loading content on our site
    res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');
    // Frameguard - https://helmetjs.github.io/docs/frameguard/
    res.setHeader('X-Frame-Options', 'DENY');
    // X-XSS protection
    res.setHeader('X-XSS-Protection', '1; mode=block');
    // No content sniffing
    res.setHeader('X-Content-Type-Options', 'nosniff');
    // DNS pre-fetching
    res.setHeader('X-DNS-Prefetch-Control', 'off');
    // Expect CT
    res.setHeader('Expect-CT', 'enforce, max-age=604800');
    // Links referrer policy
    res.setHeader('Referrer-Header', 'same-origin');
    // Prevent IE from executing downloads in page content
    res.setHeader('X-Download-Options', 'noopen');

    // Content security policy
    const csp = [
      'default-src',
      "'self'",
      'data:',
      ';',
      'connect-src',
      `http${s}://${domain}`,
      `ws${s}://${domain}`,
      `blob:`,
      ...
      ];
      res.setHeader('Content-Security-Policy', csp.join(' '));
      return next();
  });
});

ivan133 · September 21, 2019, 6:22pm

You need to import in on the server, not on the client!
https://atmospherejs.com/meteor/browser-policy

Meteor determines the browser policy when the server starts up, so you should call BrowserPolicy functions on the server in top-level application code or in Meteor.startup . BrowserPolicy functions cannot be used in client code.