razor7
October 18, 2018, 1:44am
1
Hi! I have just disabled browser-policy package from my app deployed to Heroku because if I leave it enabled, my app won’t load HTTPS!
If I access my app through http://app.domain.com it works, but accessing with https://app.domain.com it enters an infinite reload loop.
Heroku app logs
2018-10-17T23:52:16.299384+00:00 heroku[router]: at=info method=GET path="/sockjs/048/yk_lctvs/websocket" host=app.domain.com request_id=8d322763-1141-4217-94e1-5b390e1e9739 fwd="181.95.179.168,162.158.123.96" dyno=web.1 connect=1ms service=765ms status=101 bytes=175 protocol=http
2018-10-17T23:52:16.336802+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=9d1fe273-3abb-4ecf-996f-ced82b07117e fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=9ms status=200 bytes=4442 protocol=http
2018-10-17T23:52:16.512511+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=5g7x6pmg9k" host=app.domain.com request_id=dfd71b44-5b95-42b3-b02f-bd118e91804a fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=3ms status=200 bytes=363 protocol=http
2018-10-17T23:52:17.119755+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=jadymh88hj" host=app.domain.com request_id=0febb4b3-107a-41ad-b427-6f187a32c3b2 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=0ms service=4ms status=200 bytes=363 protocol=http
2018-10-17T23:52:18.401775+00:00 heroku[router]: at=info method=GET path="/sockjs/559/3by4bm5x/websocket" host=app.domain.com request_id=85b5cf5b-7c75-4472-9a0e-46c76c8cd534 fwd="181.95.179.168,162.158.123.95" dyno=web.1 connect=0ms service=664ms status=101 bytes=175 protocol=http
2018-10-17T23:52:18.410152+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=ebd62bbc-a041-40aa-9c21-e15414655a59 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=7ms status=200 bytes=4442 protocol=http
2018-10-17T23:52:18.616711+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=7k081p4ay5" host=app.domain.com request_id=a780d8d5-a149-4a55-a43d-b9be9dbfd1bc fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=http
2018-10-17T23:52:19.144127+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=3zq5040dzp" host=app.domain.com request_id=a86deb0d-8ee1-4ed6-9c60-88ea639afb7e fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=http
2018-10-17T23:52:20.417289+00:00 heroku[router]: at=info method=GET path="/login" host=app.domain.com request_id=1f7bf690-22a2-44c6-bfc2-76de3bef3558 fwd="181.95.179.168,162.158.123.114" dyno=web.1 connect=1ms service=7ms status=200 bytes=4442 protocol=http
2018-10-17T23:52:20.405086+00:00 heroku[router]: at=info method=GET path="/sockjs/802/r48516e0/websocket" host=app.domain.com request_id=2f733dc7-2d60-4770-b83d-52f53b5bc58a fwd="181.95.179.168,162.158.123.96" dyno=web.1 connect=0ms service=662ms status=101 bytes=175 protocol=http
This issue seems to be related to meteor package browser-policy . After disabling it in meteor packages file and removing the startup code the site stopped redirecting.
The startup code for browser-policy is as follows:
import _ from 'lodash';
import { BrowserPolicy } from 'meteor/browser-policy-common';
BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.disallowEval();
const trusted = [
'maps.googleapis.com',
'maps.gstatic.com',
'csi.gstatic.com',
'xxxxxx.herokuapp.com',
'xxxxxx.xxxxxx.com.ar',
'fonts.googleapis.com',
'fonts.gstatic.com',
'cdnjs.cloudflare.com',
'unpkg.com',
'a.tile.openstreetmap.org',
'b.tile.openstreetmap.org',
'c.tile.openstreetmap.org',
'blob:',
];
_.map(trusted, origin => BrowserPolicy.content.allowOriginForAll(origin));
I tried locally with –production flag but the app works just fine, the issue appears on Heroku and HTTPS
Result of curl -I https://xxxxxxapp.xxxxxx.com.ar without browser-policy
HTTP/2 200https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct ”
Result of curl -I https://xxxxxxapp.xxxxxx.com.ar with browser-policy
HTTP/2 200http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; script-src ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob: ‘unsafe-eval’; connect-src * ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; img-src data: ‘self’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:; style-src ‘self’ ‘unsafe-inline’ http://maps.googleapis.com https://maps.googleapis.com http://maps.gstatic.com https://maps.gstatic.com http://csi.gstatic.com https://csi.gstatic.com http://xxxxxx.herokuapp.com https://xxxxxx.herokuapp.com http://xxxxxxapp.xxxxxx.com.ar https://xxxxxxapp.xxxxxx.com.ar http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://cdnjs.cloudflare.com https://cdnjs.cloudflare.com http://unpkg.com https://unpkg.com http://a.tile.openstreetmap.org https://a.tile.openstreetmap.org http://b.tile.openstreetmap.org https://b.tile.openstreetmap.org http://c.tile.openstreetmap.org https://c.tile.openstreetmap.org blob:;https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct ”
What specifically do you mean by “my app won’t load”?
razor7
October 18, 2018, 10:39am
3
Hi @coagmano , I’m sorry, maybe my description is not accurate after all.
First, the ROOT_URL is configured correctly, in my post I protected real app name because I can’t disclose it right now. I can confirm everything is correct because disabling browser-policy module and commenting out associated server code my app works just fine, with and without HTTPS. If you want further data, please send me a PM.
The issue that I tried to describe as “my app won’t load” is that, after app deploys to heroku and heroku restarts it, all login data get lost, so my app will load first route “/login”, at that point, the login page gets loaded, but after 2 seconds it reloads (with my chrome tab showing load icon and all), after that, the login screen displays again, then again, after 2 seconds it reloads, and enters an infinite loop that gets logged into heroku logs as described above in section Heroku app logs , if you take a look at them, the /login path gets realoaded every 2 seconds.
Hope I clarified the situation.
Thanks, that does clarify. Loading and then reloading every 2 seconds is very different from “won’t load”!
Do you get anything in the browser console before it reloads?
You could also try using the devtools to add a breakpoint to the window’s unload event
razor7
October 19, 2018, 4:47pm
5
Hi @coagmano thanks a lot for your interest in this issue!
I have published a Github repo with a minimal version of my project https://github.com/mgscreativa/meteor-browser-policy-issue
Also deployed two heroku apps, one with browser-policy enabled and the other without it
With Browser Policy Enabled https://meteor-with-browser-policy.mgscreativa.com/login
Without Browser Policy Enabled https://meteor-without-browser-policy.mgscreativa.com/login
I’m starting to suspect of CloudFlare service, because if I load the apps with heroku URL it works:https://meteor-without-browser-policy.herokuapp.com/login and https://meteor-with-browser-policy.herokuapp.com/login
Log With Browser Policy Enabled
2018-10-19T16:18:20.837184+00:00 heroku[router]: at=info method=GET path="/sockjs/info?cb=ivxg11jtxi" host=meteor-with-browser-policy.mgscreativa.com request_id=3921ebe0-8934-44d5-a2b5-0b8ba23381ca fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=3ms status=200 bytes=361 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=fc4e0153-6900-4c71-bac0-25abd8037e5e fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=3ms service=6ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=2990818e-f5ca-49e5-8209-10f6cedf2699 fwd=“181.91.158.26,108.162.210.207” dyno=web.1 connect=1ms service=631ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=61ec05df-29d0-4e89-ae7b-600806cc4dab fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=5d593437-8303-47bf-8aa7-e19a065c9c97 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=5ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=805a1e62-e863-4d37-9c97-99cdc72eddef fwd=“181.91.158.26,108.162.210.202” dyno=web.1 connect=1ms service=610ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=0ed24897-c697-4c48-b046-47c8b0a8d7af fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=1ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=029e1c2b-06d2-4533-babf-13cb9a81f2d0 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=2ms service=6ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=b0f3c5a4-805d-4ce5-b5ee-6dea107b6e1f fwd=“181.91.158.26,108.162.210.203” dyno=web.1 connect=0ms service=648ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=a5f7bb6d-599a-4001-b506-facb25aa96f0 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=294cb283-5941-4584-915c-66023d4e5e61 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=3ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=7d4a56ca-7b02-467d-af6a-cf854061bfcf fwd=“181.91.158.26,108.162.210.206” dyno=web.1 connect=1ms service=600ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=c6d9c6ba-adf0-476c-ab5a-6ce00fa79030 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=19ef4df9-67fb-4f0b-9f1c-00fd0c15adab fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=4ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=69305bc0-ba1f-451a-b3c4-b22e52c935e9 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=0ms service=673ms status=101 bytes=1068 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=f0ceb5f6-918f-4bae-804a-52920e19eaa7 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=d6681c18-b6dc-40b5-8945-e7278f928ca3 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=4ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=62279126-dfc9-4ba9-bd13-de5356df2433 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=1ms service=602ms status=101 bytes=175 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=c962dd82-a6bd-4864-84ba-5c9f7ca1f851 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=1ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=8f77ec8c-1bc6-4431-bec9-2a93371b503e fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=0ms service=3ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=f7eaf92a-edc1-40f8-bd08-86936725053a fwd=“181.91.158.26,108.162.210.207” dyno=web.1 connect=1ms service=612ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=98ffd368-4384-4ca0-8c91-9fed9ecc23a5 fwd=“181.91.158.26,108.162.212.78” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=eba4a1be-2999-4080-bfd8-0c496ac6e163 fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=1ms service=3ms status=200 bytes=3834 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=9c535b6b-b16e-47a1-8669-79fa728156c5 fwd=“181.91.158.26,108.162.210.205” dyno=web.1 connect=1ms service=1659ms status=101 bytes=1069 protocol=httpshost=meteor-with-browser-policy.mgscreativa.com request_id=9959d395-4c59-47f6-a1d2-38aa10756e8f fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=1ms service=2ms status=200 bytes=363 protocol=https
Log Without Browser Policy Enabled (manually reloaded several times)
2018-10-19T16:28:12.186938+00:00 heroku[router]: at=info method=GET path="/login" host=meteor-without-browser-policy.mgscreativa.com request_id=215c7294-69bd-4e5d-afdc-b3c21e4106f2 fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=1ms service=4ms status=200 bytes=1099 protocol=httpshost=meteor-without-browser-policy.mgscreativa.com request_id=e91929fa-7001-4909-b31a-65af191877a1 fwd=“181.91.158.26,108.162.212.168” dyno=web.1 connect=0ms service=190357ms status=101 bytes=1126 protocol=httpshost=meteor-without-browser-policy.mgscreativa.com request_id=02267102-7e23-40ea-9e52-0878628728ca fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=httpshost=meteor-without-browser-policy.mgscreativa.com request_id=691e9a36-5c27-4889-b7f4-1a659b532ec0 fwd=“181.91.158.26,108.162.212.81” dyno=web.1 connect=0ms service=3ms status=200 bytes=1099 protocol=httpshost=meteor-without-browser-policy.mgscreativa.com request_id=0ea3faf4-2a18-41ea-a543-9168c80b3434 fwd=“181.91.158.26,108.162.212.170” dyno=web.1 connect=0ms service=4031ms status=101 bytes=1067 protocol=httpshost=meteor-without-browser-policy.mgscreativa.com request_id=5fe50556-cd4f-49e7-bd65-cc73ff5656e5 fwd=“181.91.158.26,108.162.212.82” dyno=web.1 connect=0ms service=1ms status=200 bytes=363 protocol=https
I just took a look at the links and it looks like the browser policy (and the subsequent bug) isn’t coming through.
I noticed that the recommended way to set HTTP headers is changing to helmet:
There’s good advice in there on how to set content-security-policy as well.browser-policy meteor package?
razor7
October 24, 2018, 2:16pm
7
Thanks a lot @coagmano ! This issue was driving me nuts, because if I test using chrome/ff in Windows the issue dissapears, but not in Linux ¿¿??
Here I published my browser policy setup using helmet https://github.com/mgscreativa/meteor-browser-policy-issue
Thanks again!
1 Like
A real Heisenbug!
Glad you managed to sort it out anyway!
