meteor-velocity with BrowserPolicy

[Marc d'Entremont]

So I'm trying meteor-velocity going with the BrowserPolicy package install.

Unfortunately, I've not had much success.

I'm hoping someone has an is willing to share.

The error get in firefox is: 

The connection to ws://localhost:5000/sockjs/324/tj07mpif/websocket was interrupted while the page was loading. ddp.js:1344

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000/sockjs/info?cb=rs_3kpmn2_. This can be fixed by moving the resource to the same domain or enabling CORS.

I've tried quite a few permutations of the code below. The section I'm changing is the if development block.

I expected the allowing connections for localhost:3000 (the meteor app) and localhost:5000 (the meteor-velocity mirror) would have been enough to define the connection resource as allowed. 

It seems not and the error messages are not very helpful.

Meteor.startup(function () {

//for the script
  BrowserPolicy.content.allowScriptOrigin("*.google-analytics.com");
//for the tracking pixel
  BrowserPolicy.content.allowImageOrigin("*.google-analytics.com");
// for cloudinary images
  BrowserPolicy.content.allowImageOrigin("*.cloudinary.com");
// for bootstrap
  BrowserPolicy.content.allowOriginForAll('*.bootstrapcdn.com');
// for facebook
  BrowserPolicy.content.allowOriginForAll("*.facebook.net");
  BrowserPolicy.content.allowOriginForAll("*.facebook.com");
  BrowserPolicy.content.allowEval("*.facebook.com");
  BrowserPolicy.content.allowEval("*.facebook.net");


// Need to run this at the end so that it overrides normal browser policy settings.
  if (process.env.NODE_ENV === "development") {
    console.log("In development mode. Allowing all framing so that mocha-web can run for tests.");

    BrowserPolicy.framing.allowAll();
    BrowserPolicy.content.allowOriginForAll("http://localhost:3000");
    BrowserPolicy.content.allowOriginForAll("http://localhost:5000");


    BrowserPolicy.content.allowConnectOrigin("ws://localhost:5000");
    BrowserPolicy.content.allowConnectOrigin("ws://localhost:3000");
    //BrowserPolicy.content.allowOriginForAll("*");



  } else {
    var rootUrl = __meteor_runtime_config__.ROOT_URL;
    console.log("ROOT_URL " + rootUrl);
    BrowserPolicy.content.allowConnectOrigin(rootUrl);
    BrowserPolicy.content.allowConnectOrigin(rootUrl.replace('http', 'ws'));
  }
});

On my dev box it outputs (just reformatted to be easy to read):

default-src 'self' 
http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com 
http://*.facebook.net 
https://*.facebook.net 
http://*.facebook.com 
https://*.facebook.com 
http://localhost:3000 
http://localhost:5000;

script-src 'self' 'unsafe-inline' 
http://*.google-analytics.com 
https://*.google-analytics.com 
http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com 
http://*.facebook.net 
https://*.facebook.net 
http://*.facebook.com 
https://*.facebook.com 'unsafe-eval' 
http://localhost:3000 
http://localhost:5000;

connect-src * 'self' 
http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com 
http://*.facebook.net 
https://*.facebook.net 
http://*.facebook.com 
https://*.facebook.com 
http://localhost:3000 
http://localhost:5000 
ws://localhost:5000 
ws://localhost:3000;

img-src data: 'self' 
http://*.google-analytics.com 
https://*.google-analytics.com 
http://*.cloudinary.com 
https://*.cloudinary.com 
http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com 
http://*.facebook.net 
https://*.facebook.net 
http://*.facebook.com 
https://*.facebook.com 
http://localhost:3000 
http://localhost:5000;

style-src 'self' 'unsafe-inline' 
http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com 
http://*.facebook.net 
https://*.facebook.net 
http://*.facebook.com 
https://*.facebook.com 
http://localhost:3000 
http://localhost:5000;

Many thanks for looking at this long post.

Marc

[Sam Hatoum]

Mocha-web connects from the mirror to the parent: 

https://github.com/mad-eye/meteor-mocha-web/blob/master/client.js#L20

Might that be causing your issue?

--
You received this message because you are subscribed to the Google Groups "meteor-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meteor-talk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/3e7f63cd-cf4b-4249-bdf5-049bd3c2764a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marc d'Entremont]

Thanks Sam.

It seems likely as the error mentions ddp. 

I’m thinking I have some sort of conceptual mismatch going on. I think of the browser-policy infrastructure as providing a coarse grained whitelist. In effect, add a protocol://domain:port combination to the white list for a specific type of functionality, e.g. connect, and the browsers will allow that connection. 

So assuming the mirror is running on localhost:5000 and parent is on localhost:3000 on the server and app and the test are running in the browser window, I would have thought following two browser-policy calls would have sorted the problem. 

BrowserPolicy.content.allowConnectOrigin("ws://localhost:5000”);

BrowserPolicy.content.allowConnectOrigin("ws://localhost:3000");

Apparently I’m missing something.

Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/CANQB4m%3DQNa_qnVYD1O5aS5panJ0bDgCB8yC8YK1OJACWDPp6qA%40mail.gmail.com.

[Sam Hatoum]

I'm don't have any experience with browser policies so I'm just guessing!

Could you try the xolvio:cucumber package and see if that causes the same issue? You can add the policy code you have to this example project. I know this example doesn't use DDP from the client to connect from the mirror to the master process. This will rule out (or not) the cause being the cross DDP talk

To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/C79E5EF8-B5E0-4FF4-A2F2-134CBB4287AE%40sqwrl.com.

[Marc d'Entremont]

I was wondering if there was a convenient way to identify the actual source of the problem.

The cucumber package works well. 

Adding the browser-policy and restarted resulted in all tests still being run and all the UI parts still look fine.

The only error to the console was:

"Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline’”."

From that I take it:

1. The browser-policy is active and preventing calls for non-local resources

2. That the ddp call from the mirror to the master process is the culprit.

Do you think that it would be just as viable for the ddp calls to be made to the mirror. I guess at this point I really don’t know enough about any of the velocity projects to provide any useful advice.

I figured I’d try adding cucumber to my project

meteor add xolvio:cucumber

 => Errors while adding packages:

While building package velocity:test-proxy:

error: File not found: tests/mocha/server/sampleServerTest.js

error: File not found: tests/mocha/client/sampleClientTest.js

Adding the files did allow it to add the project. 

touch tests/mocha/server/sampleServerTest.js

touch tests/mocha/client/sampleClientTest.js

I already reported this on mike:mocha’s project, but may be it’s not his issue.

Apparently, something hangs about even after reseting with git.

I’m looking forward to the section on cucumber in your book. 

Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/CANQB4mnGkD_O9sBcub%3DefgvMGq1q6T2EKPs9FHJZAvHnGapauA%40mail.gmail.com.

[Sam Hatoum]

Ah yes, that's a known bug :/ I'm going to fix that shortly

https://github.com/meteor-velocity/node-soft-mirror/issues/9

To fix, delete the local packages/test-proxy package. 

You're in luck, I've almost finished the first slice of the Cucumber tutorial and that chapter will be out today :)

To view this discussion on the web visit https://groups.google.com/d/msgid/meteor-talk/B4255886-EC04-4E51-A592-56416AE4069C%40sqwrl.com.