[Error] Refused to connect to ws://192.168.0.4:3000/sockjs/540/cnepflb6/websocket because it does not appear in the connect-src directive of the Content Security Policy.
Anyone have any other ideas? This is pretty vexing.
P.S. I suspect this is also causing Meteor to fallback to XHR and loading things much more slowly. But not 100% certain of that.
The logic is unclear to me though. The latest devel branch of boilerplate-pack does not add this CSP tag to the header for web boilerplate, only for Cordova. But some of the comments here (https://github.com/meteor/meteor/issues/7772) imply that previous version, but now not iOS 10, would apply the Cordova CSP in the WKWebView. So I’m not sure if the change should be made to:
Should it be set for both? Seems so. That said, when I set it manually, and it gets down to the browser, it still doesn’t seem to work. I’m wondering if we’re dealing with a Safari issue more than a Meteor issue.
I still have the problem that user login fails if the app has been started for the very first time on iOS. Everything else (like publications or methods) is working. But after entering user credentials and clicking on the login button, nothing happens. There is no clue about any issue in the logs, neither in the Safari log nor in the Xcode log. The login just fails, and the login dialog stays in the logging-in mode.
If I close the app right after the first start and re-open it, the login usually works. It also sometimes works if I click around in the app before trying to login. But if I try to login directly after the very first startup, login fails. I am using useraccounts:bootstrap.
I’ve run into this issue where the Facebook App webview loads our app… without the CSP fix added to the webapp, we run into the same wss issue as the ios10 cordova app.
If there is a reason to not add the CSP header to the webapp, I’d love to hear it
I’ve run into this issue where the Facebook App webview loads our app… without the CSP fix added to the webapp, we run into the same wss issue as the ios10 cordova app.
I’m guessing these are all the same issue at the core. Basically iOS 10 updated WKWebView to be more secure and require the CSP in this case where it might have been a bit more permissive in the past. _And…_things like Cordova, FB App web view, Chrome, Safari, launching from homescreen (basically a special web bookmark) are all using the same WKWebView and are all affected by this.
If there is a reason to not add the CSP header to the webapp, I’d love to hear it
I do think the CSP header needs to be added for all, but the method of adding seems to differ. With Cordova, Meteor’s boilerplate code adds it for you. With a non-Cordova web app, you need to use BrowserPolicy:
meteor add browser-policy
(I’m at version 1.0.9)
And then somewhere (in the server code actually) during startup, do this:
To your client/main.html under if you’re not using BrowserPolicy. I did not test that. But if you’re using BrowserPolicy, it is setting that meta tag and the one you set manually in client/main.html will be ignored (or at least that’s how it looks).
Actually I ended up getting a working implementation where React-Helmet adds the CSP to the head. Have yet to actually do it for ‘just iOS’, but it seems to work for now