Content Security Policy

hsribei / meteor-disqus

Disqus package for Meteor. Add {{>disqus}} to template. Be happy.

20 stars 1 forks source link

Content Security Policy #2

Open michaellouieloria opened 9 years ago

michaellouieloria commented 9 years ago

I think you should add in the readme the proper entries for the content security policy because it's causing some errors.

https://atmospherejs.com/meteor/browser-policy package can set the security policies

Sample error message Refused to execute inline script because it violates the following Content Security Policy

Fix (add in server) BrowserPolicy.content.allowInlineScripts(); BrowserPolicy.content.allowOriginForAll('.disquscdn.com'); BrowserPolicy.content.allowOriginForAll('.disqus.com'); BrowserPolicy.content.allowOriginForAll('*.google-analytics.com');

dvzrd commented 9 years ago

Hey, so how did you get browser policy to work with this package?

I'm getting this error every time even though I added the fixes you recommended.

 Refused to load the script 'http://undefined.disqus.com/embed.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' http://.disquscdn.com https://.disquscdn.com http://.disqus.com https://.disqus.com http://*.google-analytics.com https://*.google-analytics.com http://fonts.googleapis.com http://fonts.gstatic.com".

Appreciate any help on this, thanks.

michaellouieloria commented 9 years ago

try adding the other links like

BrowserPolicy.content.allowOriginForAll('.gstatic.com'); BrowserPolicy.content.allowOriginForAll('.googleapis.com');