Meteor browser-policy: allow uploading images

Question

Trying to use Sir Trevor JS in Meteor to upload images but getting:

Refused to load the image 'blob:http%3A//localhost%3A3000/a28ef7dc-ee51-4290-9941-6b8fc317e685' 
because it violates the following Content Security Policy directive: 
"img-src data: 'self' http://*.googleapis.com https://*.googleapis.com
http://*.gstatic.com https://*.gstatic.com http://*.bootstrapcdn.com 
https://*.bootstrapcdn.com http://*.facebook.com https://*.facebook.com 
http://*.fbcdn-profile-a.akamaihd.net https://*.fbcdn-profile-a.akamaihd.net 
blob://*.localhost".

I am using the browser-policy package and don't know how to accept this URL. I tried many different policies but cant get it to work. Examples:

BrowserPolicy.content.allowDataUrl("blob://*.localhost:3000");
BrowserPolicy.content.allowOriginForAll("blob:*.localhost:3000/");
BrowserPolicy.content.allowOriginForAll("blob:*.localhost:3000");
BrowserPolicy.content.allowImgUrlForAll();
BrowserPolicy.content.allowSameOriginForAll();

Any ideas?

score 4 · Accepted Answer · edited May 23 '17 at 11:52

4

Okey,

This actually solved the problem:

BrowserPolicy.content.allowOriginForAll('blob:');

Doesn't seam very secure though.

Found it here

edited May 23 '17 at 11:52

Community

1
1

answered Oct 23 '15 at 06:53

nilsi

10,351
10
67
79

Hey @nilsi, someone posted a better solution if you want to check it out my stack question that you linked in your answer. – Bradley Dec 07 '15 at 17:45

score 0 · Answer 2 · answered Feb 15 '18 at 01:40

I had this issue using Meteor-Files package as well. I was able to add a clone of the browser-policy-content package to my local project and add 'worker-src' to the resources objects (in browser-policy-content.js):

var resources = [
    { methodResource: "Script", directive: "script-src" },
    { methodResource: "Object", directive: "object-src" },
    { methodResource: "Image", directive: "img-src" },
    { methodResource: "Media", directive: "media-src" },
    { methodResource: "Font", directive: "font-src" },
    { methodResource: "Connect", directive: "connect-src" },
    { methodResource: "Style", directive: "style-src" },
    { methodResource: "Frame", directive: "frame-src" },
    { methodResource: "FrameAncestors", directive: "frame-ancestors" }, 
    { methodResource: 'WorkerSource', directive: 'worker-src' }//added this!
];

Then I was able to add the below to my startup.js:

BrowserPolicy.content.allowWorkerSourceBlobUrl('localhost');

Meteor browser-policy: allow uploading images

2 Answers2