[SOLVED] Using browser-policy in Meteor app deployed to Heroku enters reload infinite loop


#1

Hi! I have just disabled browser-policy package from my app deployed to Heroku because if I leave it enabled, my app won’t load HTTPS!

If I access my app through http://app.domain.com it works, but accessing with https://app.domain.com it enters an infinite reload loop.

Heroku app logs

2018-10-17T23:52:16.299384+00:00 heroku[router]: at=info method=GET path="/sockjs/048/yk_lctvs/websocket" host=app.domain.com request_id=8d322763-1141-4217-94e1-5b390e1e9739 fwd="181.95.179.168,162.158.123.96" dyno=web.1 connect=1ms service=765ms status=101 bytes=175 protocol=http

2018-10-17T23:52:16.336802+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=9d1fe273-3abb-4ecf-996f-ced82b07117e fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=9ms status=200 bytes=4442 protocol=http

2018-10-17T23:52:16.512511+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=5g7x6pmg9k" host=app.domain.com request_id=dfd71b44-5b95-42b3-b02f-bd118e91804a fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=3ms status=200 bytes=363 protocol=http

2018-10-17T23:52:17.119755+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=jadymh88hj" host=app.domain.com request_id=0febb4b3-107a-41ad-b427-6f187a32c3b2 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=0ms service=4ms status=200 bytes=363 protocol=http

2018-10-17T23:52:18.401775+00:00 heroku[router]: at=info method=GET path="/sockjs/559/3by4bm5x/websocket" host=app.domain.com request_id=85b5cf5b-7c75-4472-9a0e-46c76c8cd534 fwd="181.95.179.168,162.158.123.95" dyno=web.1 connect=0ms service=664ms status=101 bytes=175 protocol=http

2018-10-17T23:52:18.410152+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=ebd62bbc-a041-40aa-9c21-e15414655a59 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=7ms status=200 bytes=4442 protocol=http

2018-10-17T23:52:18.616711+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=7k081p4ay5" host=app.domain.com request_id=a780d8d5-a149-4a55-a43d-b9be9dbfd1bc fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=http

2018-10-17T23:52:19.144127+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=3zq5040dzp" host=app.domain.com request_id=a86deb0d-8ee1-4ed6-9c60-88ea639afb7e fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=http

2018-10-17T23:52:20.417289+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=1f7bf690-22a2-44c6-bfc2-76de3bef3558 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=7ms status=200 bytes=4442 protocol=http

2018-10-17T23:52:20.405086+00:00 heroku[router]: at=info method=GET path="/sockjs/802/r48516e0/websocket" host=app.domain.com request_id=2f733dc7-2d60-4770-b83d-52f53b5bc58a fwd="181.95.179.168,162.158.123.96" dyno=web.1 connect=0ms service=662ms status=101 bytes=175 protocol=http

This issue seems to be related to meteor package browser-policy. After disabling it in meteor packages file and removing the startup code the site stopped redirecting.

The startup code for browser-policy is as follows:

import _ from 'lodash';
import { BrowserPolicy } from 'meteor/browser-policy-common';

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.disallowEval();

const trusted = [
  'maps.googleapis.com',
  'maps.gstatic.com',
  'csi.gstatic.com',
  'xxxxxx.herokuapp.com',
  'xxxxxx.xxxxxx.com.ar',
  'fonts.googleapis.com',
  'fonts.gstatic.com',
  'cdnjs.cloudflare.com',
  'unpkg.com',
  'a.tile.openstreetmap.org',
  'b.tile.openstreetmap.org',
  'c.tile.openstreetmap.org',
  'blob:',
];

_.map(trusted, origin => BrowserPolicy.content.allowOriginForAll(origin));

I tried locally with –production flag but the app works just fine, the issue appears on Heroku and HTTPS

Result of curl -I https://xxxxxxapp.xxxxxx.com.ar without browser-policy

HTTP/2 200
date: Thu, 18 Oct 2018 01:50:03 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=db059cc963d845229b78a2abab9a16cf11539827403; expires=Fri, 18-Oct-19 01:50:03 GMT; path=/; domain=.xxxxxx.com.ar; HttpOnly; Secure
vary: Accept-Encoding
via: 1.1 vegur
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
server: cloudflare
cf-ray: 46b75a165fe6b955-MIA

Result of curl -I https://xxxxxxapp.xxxxxx.com.ar with browser-policy

HTTP/2 200
date: Thu, 18 Oct 2018 01:58:14 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=db99f6a23afe45ea21dcb502d237127381539827894; expires=Fri, 18-Oct-19 01:58:14 GMT; path=/; domain=.xxxxxx.com.ar; HttpOnly; Secure
x-content-type-options: nosniff
x-frame-options: DENY
content-security-policy: default-src ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; script-src ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob: ‘unsafe-eval’; connect-src * ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; img-src data: ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; style-src ‘self’ ‘unsafe-inline’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:;
vary: Accept-Encoding
via: 1.1 vegur
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
server: cloudflare
cf-ray: 46b76613581fb8dd-MIA


#2

What specifically do you mean by “my app won’t load”?
Also, what have you set ROOT_URL to?


#3

Hi @coagmano, I’m sorry, maybe my description is not accurate after all.

First, the ROOT_URL is configured correctly, in my post I protected real app name because I can’t disclose it right now. I can confirm everything is correct because disabling browser-policy module and commenting out associated server code my app works just fine, with and without HTTPS. If you want further data, please send me a PM.

The issue that I tried to describe as “my app won’t load” is that, after app deploys to heroku and heroku restarts it, all login data get lost, so my app will load first route “/login”, at that point, the login page gets loaded, but after 2 seconds it reloads (with my chrome tab showing load icon and all), after that, the login screen displays again, then again, after 2 seconds it reloads, and enters an infinite loop that gets logged into heroku logs as described above in section Heroku app logs, if you take a look at them, the /login path gets realoaded every 2 seconds.

Hope I clarified the situation.


#4

Thanks, that does clarify. Loading and then reloading every 2 seconds is very different from “won’t load”!

Do you get anything in the browser console before it reloads?
(Chrome has a “preserve log” option that prevents reloads from wiping the console)

You could also try using the devtools to add a breakpoint to the window’s unload event


#5

Hi @coagmano thanks a lot for your interest in this issue!

I have published a Github repo with a minimal version of my project https://github.com/mgscreativa/meteor-browser-policy-issue

Also deployed two heroku apps, one with browser-policy enabled and the other without it

With Browser Policy Enabled
https://meteor-with-browser-policy.mgscreativa.com/login

Without Browser Policy Enabled
https://meteor-without-browser-policy.mgscreativa.com/login

I’m starting to suspect of CloudFlare service, because if I load the apps with heroku URL it works:
https://meteor-without-browser-policy.herokuapp.com/login and https://meteor-with-browser-policy.herokuapp.com/login

Log With Browser Policy Enabled

2018-10-19T16:18:20.837184+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=ivxg11jtxi" host=meteor-with-browser-policy.mgscreativa.com request_id=3921ebe0-8934-44d5-a2b5-0b8ba23381ca fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=3ms status=200 bytes=361 protocol=https
2018-10-19T16:18:21.863031+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=fc4e0153-6900-4c71-bac0-25abd8037e5e fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=3ms service=6ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:22.052353+00:00 heroku[router]: at=info method=GET path="/sockjs/794/hj9onx9t/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=2990818e-f5ca-49e5-8209-10f6cedf2699 fwd=“181.91.158.26,108.162.210.207” dyno=web.1 connect=1ms service=631ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:22.842484+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=iyzzr6wlu4" host=meteor-with-browser-policy.mgscreativa.com request_id=61ec05df-29d0-4e89-ae7b-600806cc4dab fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=https
2018-10-19T16:18:23.846121+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=5d593437-8303-47bf-8aa7-e19a065c9c97 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=5ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:24.036847+00:00 heroku[router]: at=info method=GET path="/sockjs/277/iswzci73/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=805a1e62-e863-4d37-9c97-99cdc72eddef fwd=“181.91.158.26,108.162.210.202” dyno=web.1 connect=1ms service=610ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:24.833697+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=61etfpne2y" host=meteor-with-browser-policy.mgscreativa.com request_id=0ed24897-c697-4c48-b046-47c8b0a8d7af fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=1ms status=200 bytes=363 protocol=https
2018-10-19T16:18:25.846591+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=029e1c2b-06d2-4533-babf-13cb9a81f2d0 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=2ms service=6ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:26.031844+00:00 heroku[router]: at=info method=GET path="/sockjs/782/nj34jr4g/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=b0f3c5a4-805d-4ce5-b5ee-6dea107b6e1f fwd=“181.91.158.26,108.162.210.203” dyno=web.1 connect=0ms service=648ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:26.838733+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=1mghrk4wn_" host=meteor-with-browser-policy.mgscreativa.com request_id=a5f7bb6d-599a-4001-b506-facb25aa96f0 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https
2018-10-19T16:18:27.842875+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=294cb283-5941-4584-915c-66023d4e5e61 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=3ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:28.027246+00:00 heroku[router]: at=info method=GET path="/sockjs/393/maj9c0t0/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=7d4a56ca-7b02-467d-af6a-cf854061bfcf fwd=“181.91.158.26,108.162.210.206” dyno=web.1 connect=1ms service=600ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:28.835721+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=jque4cdfit" host=meteor-with-browser-policy.mgscreativa.com request_id=c6d9c6ba-adf0-476c-ab5a-6ce00fa79030 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https
2018-10-19T16:18:29.840189+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=19ef4df9-67fb-4f0b-9f1c-00fd0c15adab fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=4ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:30.101363+00:00 heroku[router]: at=info method=GET path="/sockjs/678/3gusdl7w/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=69305bc0-ba1f-451a-b3c4-b22e52c935e9 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=0ms service=673ms status=101 bytes=1068 protocol=https
2018-10-19T16:18:30.838885+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=0y8rofkzqr" host=meteor-with-browser-policy.mgscreativa.com request_id=f0ceb5f6-918f-4bae-804a-52920e19eaa7 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https
2018-10-19T16:18:31.847841+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=d6681c18-b6dc-40b5-8945-e7278f928ca3 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=4ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:32.033963+00:00 heroku[router]: at=info method=GET path="/sockjs/252/4ol6ywv2/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=62279126-dfc9-4ba9-bd13-de5356df2433 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=1ms service=602ms status=101 bytes=175 protocol=https
2018-10-19T16:18:32.837946+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=9jnlgtikng" host=meteor-with-browser-policy.mgscreativa.com request_id=c962dd82-a6bd-4864-84ba-5c9f7ca1f851 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=1ms status=200 bytes=363 protocol=https
2018-10-19T16:18:33.837848+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=8f77ec8c-1bc6-4431-bec9-2a93371b503e fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=3ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:34.030493+00:00 heroku[router]: at=info method=GET path="/sockjs/641/s2gvw4fg/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=f7eaf92a-edc1-40f8-bd08-86936725053a fwd=“181.91.158.26,108.162.210.207” dyno=web.1 connect=1ms service=612ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:34.865193+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=s9rte_gbg7" host=meteor-with-browser-policy.mgscreativa.com request_id=98ffd368-4384-4ca0-8c91-9fed9ecc23a5 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https
2018-10-19T16:18:36.917363+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-with-browser-policy.mgscreativa.com request_id=eba4a1be-2999-4080-bfd8-0c496ac6e163 fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=1ms service=3ms status=200 bytes=3834 protocol=https
2018-10-19T16:18:37.107756+00:00 heroku[router]: at=info method=GET path="/sockjs/228/u7pg0ngw/websocket" host=meteor-with-browser-policy.mgscreativa.com request_id=9c535b6b-b16e-47a1-8669-79fa728156c5 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=1ms service=1659ms status=101 bytes=1069 protocol=https
2018-10-19T16:18:37.918173+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=xuhc4g9fgn" host=meteor-with-browser-policy.mgscreativa.com request_id=9959d395-4c59-47f6-a1d2-38aa10756e8f fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https

Log Without Browser Policy Enabled (manually reloaded several times)

2018-10-19T16:28:12.186938+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-without-browser-policy.mgscreativa.com request_id=215c7294-69bd-4e5d-afdc-b3c21e4106f2 fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=1ms service=4ms status=200 bytes=1099 protocol=https
2018-10-19T16:28:12.390870+00:00 heroku[router]: at=info method=GET path="/sockjs/729/ozyye8ni/websocket" host=meteor-without-browser-policy.mgscreativa.com request_id=e91929fa-7001-4909-b31a-65af191877a1 fwd=“181.91.158.26,108.162.212.168” dyno=web.1 connect=0ms service=190357ms status=101 bytes=1126 protocol=https
2018-10-19T16:28:12.710197+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=nmklzbx7w1" host=meteor-without-browser-policy.mgscreativa.com request_id=02267102-7e23-40ea-9e52-0878628728ca fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=https
2018-10-19T16:28:17.158053+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-without-browser-policy.mgscreativa.com request_id=691e9a36-5c27-4889-b7f4-1a659b532ec0 fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=0ms service=3ms status=200 bytes=1099 protocol=https
2018-10-19T16:28:17.354678+00:00 heroku[router]: at=info method=GET path="/sockjs/161/a_lkr8ca/websocket" host=meteor-without-browser-policy.mgscreativa.com request_id=0ea3faf4-2a18-41ea-a543-9168c80b3434 fwd=“181.91.158.26,108.162.212.170” dyno=web.1 connect=0ms service=4031ms status=101 bytes=1067 protocol=https
2018-10-19T16:28:17.678963+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=ngcgutgwm6" host=meteor-without-browser-policy.mgscreativa.com request_id=5fe50556-cd4f-49e7-bd65-cc73ff5656e5 fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=https


#6

I just took a look at the links and it looks like the browser policy (and the subsequent bug) isn’t coming through.

I noticed that the recommended way to set HTTP headers is changing to helmet:

There’s good advice in there on how to set content-security-policy as well.
Maybe worth trying that instead of the browser-policy meteor package?


#7

Thanks a lot @coagmano! This issue was driving me nuts, because if I test using chrome/ff in Windows the issue dissapears, but not in Linux ¿¿??

Here I published my browser policy setup using helmet https://github.com/mgscreativa/meteor-browser-policy-issue

Thanks again!


#8

A real Heisenbug! :microbe:

Glad you managed to sort it out anyway!