Meteor 1.8.1: Unexpected Error (too many CSP rules?)

We were using Meteor 1.8.04 I believe, and with the release of Meteor 1.8.1 we’ve decided to update.

While we got this error before, it was always when reloading the app after multiple changes in files and very briefly, but now our app doesn’t load at all.

The app starts normally, with no errors at all in the console.

Any help?

Packages:

meteor-base@1.4.0             # Packages every Meteor app needs to have
mobile-experience@1.0.5       # Packages for a great mobile UX
mongo@1.6.2                   # The database Meteor supports right now
tracker@1.2.0                 # Meteor's client-side reactive programming library

standard-minifier-js@2.4.1    # JS minifier run for production mode
es5-shim@4.8.0                # ECMAScript 5 compatibility for older browsers.
ecmascript@0.12.4              # Enable ECMAScript2015+ syntax in app code
shell-server@0.4.0            # Server-side component of the `meteor shell` command
dynamic-import@0.5.1
accounts-password@1.5.1
random@1.1.0
force-ssl@1.1.0
minifier-css@1.4.2

# Accounts
lindoelio:office365-oauth
bozhao:link-accounts
accounts-google@1.3.2

# Vue
akryum:vue-component
akryum:vue-sass
static-html
akryum:vue-pug

# Performance
meteorhacks:aggregate
mixmax:smart-disconnect
lamhieu:unblock

# APM
mdg:meteor-apm-agent

# UI
fourseven:scss

# Search
acemtp:algolia

# Data layer
mdg:validated-method
aldeed:collection2-core@2.0.1
matb33:collection-hooks
ed-link:mongo-algolia-sync

# Security
browser-policy@1.1.0
hitchcott:method-hooks
ccorcos:subs-cache

# Analytics
ed-link:events
  • Removing vue packages apparently don’t fix the problem.
  • meteor reset didn’t work

you should post the “Shell” window content here, the meteor server error.

@ minhna Thanks for your reply. But that’s the thing, there’s no console error.

Ok, so we’ve identified the error.

We’re using the CSP package. We have a list of more than ~50 rules/domains we run BrowserPolicy.content.allowOriginForAll.

When the list gets too big it’s throws the error.

In my tests when it goes above certain character limit, it throws the Unexpected error and no console error.

Works:

// Allow rules for Browser Policy
const allowOriginForAll = ['fonts.googleapis.com', 'fonts.gstatic.com', 'https://*.stripe.com',
  '*.cloudinary.com', 'https://cdnjs.cloudflare.com', 'https://maps.googleapis.com',
  'https://maps.gstatic.com', 'https://csi.gstatic.com', 'https://*.wistia.com',
  'http://fast.wistia.com', 'https://embedwistia-a.akamaihd.net',
  'http://src.litix.io/core/2/mux.js', 'http://fast.wistia.net', 'blob:',
  'https://raw.githubusercontent.com', 'https://ipinfo.io', 'https://graph.facebook.com',
  'https://scontent.xx.fbcdn.net', 'https://geteducation.link', 'https://graph.facebook.com',
  'https://scontent.cdninstagram.com', 'https://api.instagram.com', 'https://js.hubspotfeedback.com',
  'http://www.youtube.com/', 'https://s.ytimg.com/', 'https://lookaside.facebook.com',
  'https://www.google-analytics.com', 'https://stats.g.doubleclick.net', 'https://www.google.com',
  'https://www.google.com.au', 'https://static.hotjar.com', 'https://vars.hotjar.com',
  'https://script.hotjar.com', 'https://www.googletagmanager.com', 'http://tagmanager.google.com',
  'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://app.hubspot.com/',
  'http://js.hs-scripts.com', 'https://js.hscollectedforms.net', 'https://js.usemessages.com',
  'http://js.hs-analytics.net', 'http://track.hubspot.com', 'https://js.hsadspixel.net',
  'https://connect.facebook.net'];

allowOriginForAll.forEach(item => BrowserPolicy.content.allowOriginForAll(item));

Does not work:

// Allow rules for Browser Policy
const allowOriginForAll = ['fonts.googleapis.com', 'fonts.gstatic.com', 'https://*.stripe.com',
  '*.cloudinary.com', 'https://cdnjs.cloudflare.com', 'https://maps.googleapis.com',
  'https://maps.gstatic.com', 'https://csi.gstatic.com', 'https://*.wistia.com',
  'http://fast.wistia.com', 'https://embedwistia-a.akamaihd.net',
  'http://src.litix.io/core/2/mux.js', 'http://fast.wistia.net', 'blob:',
  'https://raw.githubusercontent.com', 'https://ipinfo.io', 'https://graph.facebook.com',
  'https://scontent.xx.fbcdn.net', 'https://geteducation.link', 'https://graph.facebook.com',
  'https://scontent.cdninstagram.com', 'https://api.instagram.com', 'https://js.hubspotfeedback.com',
  'http://www.youtube.com/', 'https://s.ytimg.com/', 'https://lookaside.facebook.com',
  'https://www.google-analytics.com', 'https://stats.g.doubleclick.net', 'https://www.google.com',
  'https://www.google.com.au', 'https://static.hotjar.com', 'https://vars.hotjar.com',
  'https://script.hotjar.com', 'https://www.googletagmanager.com', 'http://tagmanager.google.com',
  'https://ssl.gstatic.com', 'https://www.gstatic.com', 'https://app.hubspot.com/',
  'http://js.hs-scripts.com', 'https://js.hscollectedforms.net', 'https://js.usemessages.com',
  'http://js.hs-analytics.net', 'http://track.hubspot.com', 'https://js.hsadspixel.net',
  'https://connect.facebook.net', 'https://www.facebook.com', 'http://documents.geteducation.link',
  'https://forms.hubspot.com/', 'https://platform-lookaside.fbsbx.com', 'https://cdn.headwayapp.co',
  'https://px.ads.linkedin.com', 'https://headway-widget.net/', 'https://js.hsleadflows.net',
  'https://www.googleadservices.com', 'https://snap.licdn.com', 'https://bid.g.doubleclick.net',
  'https://googleads.g.doubleclick.net', 'https://t.hs-growth-metrics.com',
  '*.cloudflarestream.com', 'https://help.geteducation.link',
  '*.videodelivery.net', 'https://cloudflarestream.com', 'https://t.hs-growth-metrics.com',
  'https://videodelivery.net', 'cdn2.hubspot.net', 'https://maxcdn.icons8.com',
  'https://pages.geteducation.link', 'https://js.hsforms.net', 'https://forms.hsforms.com',
  'https://js.hscta.net', 'http://cta-service-cms2.hubspot.com', 'https://www.googleadservices.com',
  'https://rum-static.pingdom.net', 'https://www.gostudy.com.au', 'https://*.googleusercontent.com', 'https://docs.google.com'];