Meteor 1.8.1: Unexpected Error (too many CSP rules?)

raphaelarias · April 4, 2019, 6:55am

We were using Meteor 1.8.04 I believe, and with the release of Meteor 1.8.1 we’ve decided to update.

While we got this error before, it was always when reloading the app after multiple changes in files and very briefly, but now our app doesn’t load at all.

The app starts normally, with no errors at all in the console.

Any help?

Packages:

meteor-base@1.4.0             # Packages every Meteor app needs to have
mobile-experience@1.0.5       # Packages for a great mobile UX
mongo@1.6.2                   # The database Meteor supports right now
tracker@1.2.0                 # Meteor's client-side reactive programming library

standard-minifier-js@2.4.1    # JS minifier run for production mode
es5-shim@4.8.0                # ECMAScript 5 compatibility for older browsers.
ecmascript@0.12.4              # Enable ECMAScript2015+ syntax in app code
shell-server@0.4.0            # Server-side component of the `meteor shell` command
dynamic-import@0.5.1
accounts-password@1.5.1
random@1.1.0
force-ssl@1.1.0
minifier-css@1.4.2

# Accounts
lindoelio:office365-oauth
bozhao:link-accounts
accounts-google@1.3.2

# Vue
akryum:vue-component
akryum:vue-sass
static-html
akryum:vue-pug

# Performance
meteorhacks:aggregate
mixmax:smart-disconnect
lamhieu:unblock

# APM
mdg:meteor-apm-agent

# UI
fourseven:scss

# Search
acemtp:algolia

# Data layer
mdg:validated-method
aldeed:collection2-core@2.0.1
matb33:collection-hooks
ed-link:mongo-algolia-sync

# Security
browser-policy@1.1.0
hitchcott:method-hooks
ccorcos:subs-cache

# Analytics
ed-link:events

raphaelarias · April 4, 2019, 6:58am

Removing vue packages apparently don’t fix the problem.
meteor reset didn’t work

minhna · April 4, 2019, 7:16am

you should post the “Shell” window content here, the meteor server error.

raphaelarias · April 4, 2019, 7:40am

@ minhna Thanks for your reply. But that’s the thing, there’s no console error.

raphaelarias · April 4, 2019, 7:42am

Ok, so we’ve identified the error.

We’re using the CSP package. We have a list of more than ~50 rules/domains we run BrowserPolicy.content.allowOriginForAll.

When the list gets too big it’s throws the error.

In my tests when it goes above certain character limit, it throws the Unexpected error and no console error.

Works:

// Allow rules for Browser Policy
const allowOriginForAll = ['fonts.googleapis.com', 'fonts.gstatic.com', 'https://*.stripe.com',
  '*.cloudinary.com', 'https://cdnjs.cloudflare.com', 'https://maps.googleapis.com',
  'https://maps.gstatic.com', 'https://csi.gstatic.com', 'https://*.wistia.com',
  'http://fast.wistia.com', 'https://embedwistia-a.akamaihd.net',
  'http://src.litix.io/core/2/mux.js', 'http://fast.wistia.net', 'blob:',
  'https://raw.githubusercontent.com', 'https://ipinfo.io', 'https://graph.facebook.com',
  'https://scontent.xx.fbcdn.net', 'https://geteducation.link', 'https://graph.facebook.com',
  'https://scontent.cdninstagram.com', 'https://api.instagram.com', 'https://js.hubspotfeedback.com',
  'http://www.youtube.com/', 'https://s.ytimg.com/', 'https://lookaside.facebook.com',
  'https://www.google-analytics.com', 'https://stats.g.doubleclick.net', 'https://www.google.com',
  'https://www.google.com.au', 'https://static.hotjar.com', 'https://vars.hotjar.com',
  'https://script.hotjar.com', 'https://www.googletagmanager.com', 'http://tagmanager.google.com',
  'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://app.hubspot.com/',
  'http://js.hs-scripts.com', 'https://js.hscollectedforms.net', 'https://js.usemessages.com',
  'http://js.hs-analytics.net', 'http://track.hubspot.com', 'https://js.hsadspixel.net',
  'https://connect.facebook.net'];

allowOriginForAll.forEach(item => BrowserPolicy.content.allowOriginForAll(item));

Does not work:

// Allow rules for Browser Policy
const allowOriginForAll = ['fonts.googleapis.com', 'fonts.gstatic.com', 'https://*.stripe.com',
  '*.cloudinary.com', 'https://cdnjs.cloudflare.com', 'https://maps.googleapis.com',
  'https://maps.gstatic.com', 'https://csi.gstatic.com', 'https://*.wistia.com',
  'http://fast.wistia.com', 'https://embedwistia-a.akamaihd.net',
  'http://src.litix.io/core/2/mux.js', 'http://fast.wistia.net', 'blob:',
  'https://raw.githubusercontent.com', 'https://ipinfo.io', 'https://graph.facebook.com',
  'https://scontent.xx.fbcdn.net', 'https://geteducation.link', 'https://graph.facebook.com',
  'https://scontent.cdninstagram.com', 'https://api.instagram.com', 'https://js.hubspotfeedback.com',
  'http://www.youtube.com/', 'https://s.ytimg.com/', 'https://lookaside.facebook.com',
  'https://www.google-analytics.com', 'https://stats.g.doubleclick.net', 'https://www.google.com',
  'https://www.google.com.au', 'https://static.hotjar.com', 'https://vars.hotjar.com',
  'https://script.hotjar.com', 'https://www.googletagmanager.com', 'http://tagmanager.google.com',
  'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://app.hubspot.com/',
  'http://js.hs-scripts.com', 'https://js.hscollectedforms.net', 'https://js.usemessages.com',
  'http://js.hs-analytics.net', 'http://track.hubspot.com', 'https://js.hsadspixel.net',
  'https://connect.facebook.net', 'https://www.facebook.com', 'http://documents.geteducation.link',
  'https://forms.hubspot.com/', 'https://platform-lookaside.fbsbx.com', 'https://cdn.headwayapp.co',
  'https://px.ads.linkedin.com', 'https://headway-widget.net/', 'https://js.hsleadflows.net',
  'https://www.googleadservices.com', 'https://snap.licdn.com', 'https://bid.g.doubleclick.net',
  'https://googleads.g.doubleclick.net', 'https://t.hs-growth-metrics.com',
  '*.cloudflarestream.com', 'https://help.geteducation.link',
  '*.videodelivery.net', 'https://cloudflarestream.com', 'https://t.hs-growth-metrics.com',
  'https://videodelivery.net', 'cdn2.hubspot.net', 'https://maxcdn.icons8.com',
  'https://pages.geteducation.link', 'https://js.hsforms.net', 'https://forms.hsforms.com',
  'https://js.hscta.net', 'http://cta-service-cms2.hubspot.com', 'https://www.googleadservices.com',
  'https://rum-static.pingdom.net', 'https://www.gostudy.com.au', 'https://*.googleusercontent.com', 'https://docs.google.com'];

hanley · June 21, 2019, 2:52pm

We’re experiencing the same thing. For us it’s around 25, and we get “unexpected error”, nothing in the console. Have you come across a solution for this?

raphaelarias · June 24, 2019, 7:07am

Not yet. We haven’t moved to the newest update of Meteor because of that. And as I didn’t have time to investigate, I didn’t open a ticket too. On top of that, as this post was “ignored” before I thought it was just our app.

I was considering using WebApp connect handlers to do the CSP manually and see if it works.

moberegger · June 24, 2019, 1:32pm

If you are going the WebApp route, maybe take a look at https://github.com/helmetjs/csp. It’s middleware for CSP. Might have better luck with that.

alawi · July 8, 2019, 9:30am

we also get the unexpected error sometimes when refresh the server often after code changes but we’ve BrowserPolicy completely disabled so I’m not sure what is causing it.

raphaelarias · July 13, 2019, 4:02am

Yes, we get this error to in Dev. Unfortunately, with the new version we get the error all the time.

alawi · July 13, 2019, 5:52am

Not that frequent for us, it was more when developing within a package and the chances increase with many server restarts.

simonbelanger · September 3, 2019, 4:11pm

Good catch @raphaelarias with the CSP! Looks like the issue is caused my the Node version update. HTTP headers size limit has been dropped to 8KB by default, see https://github.com/nodejs/node/issues/24692 for the long story.

You can raise this limit by using NODE_OPTIONS='--max-http-header-size=20000' before the meteor run command. It fixed the issue for me.

raphaelarias · September 7, 2019, 3:37pm

Awesome @simonbelanger! Thanks for solving the mystery!