Content Security Policy is making me loose my hair


#1

Hello so I have a web server on heroku and I’m trying to talk to the EBS from an uploaded extension but despite including the required Content-Security-Policy properties I keep getting an error upon sending a GET request:

Refused to connect to 'http://stalker-twitch-integration.herokuapp.com/U30463352/0/0/11001/1' because it violates the following Content Security Policy directive: "connect-src https: wss:".

When I’m doing the same by just opening the extension from my personal PC the request gets sent succesfully.

Any ideas what could be causing it ? This is my current meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';" />

I have tried adding the connect-src https: wss: too but then it doesn’t even work locally.


#2

All communication between an Extension and EBS has to be secure, hence the requirement for https or wss.

You are getting a CSP error because your EBS URL isn’t using HTTPS.


#3

Hey Dist, how would I go about using HTTPS with Heroku ? I thought it was required to use http with heroku ?

Currently my server is done this way:

const PORT = process.env.PORT || 3000;

const _httpServer = http.createServer(_credentials,_app);

_httpServer.listen(PORT, () => {
	console.log('Server is now running on port '+PORT);
});

#4

You can just switch the http to https in your URL. You’ll notice if you try it directly in your browser, it says OK instead of giving an error.


#5

Bro… Have a like