Meteor browser policy

1.2k views Asked by At

Recently I found out about browser policy package for Meteor from David Weldon (https://dweldon.silvrback.com/browser-policy), which I found from this checklist made by Sacha https://meteorjs.club/MeteorSecurityChecklist.pdf

I use the Google analytics for iron router package (https://github.com/reywood/meteor-iron-router-ga/) as well and I keep getting the following error after trying many different options (I expected BrowserPolicy.content.allowInlineScripts(); to allow this):

Refused to load the script 'data:application/javascript;base64,dmFyIHVyY2hpblRyYWNrZXI9ZnVuY3Rpb24oKXt9…JVcmw6ZnVuY3Rpb24obyl7cmV0dXJuIG87fSxfdHJhY2tFdmVudDpmdW5jdGlvbigpe319fX07' because it violates the following Content Security Policy directive: "script-src 'self' http://*.google-analytics.com https://*.google-analytics.com http://*.googleapis.com https://*.googleapis.com http://*.gstatic.com https://*.gstatic.com http://www.google-analytics.com https://www.google-analytics.com".

anyone can give me more insight in this?

1

There are 1 answers

0
David Weldon On BEST ANSWER

The URL in question is a Data URL, so one way to solve this is to add the following to your policy:

BrowserPolicy.content.allowDataUrlForAll()

That's a pretty broad rule though. If you want to narrow it just to scripts you could do:

BrowserPolicy.content.allowScriptDataUrl()