Content Security Policy is making me loose my hair

Thial · August 11, 2019, 9:11pm

Hello so I have a web server on heroku and I’m trying to talk to the EBS from an uploaded extension but despite including the required Content-Security-Policy properties I keep getting an error upon sending a GET request:

Refused to connect to 'http://stalker-twitch-integration.herokuapp.com/U30463352/0/0/11001/1' because it violates the following Content Security Policy directive: "connect-src https: wss:".

When I’m doing the same by just opening the extension from my personal PC the request gets sent succesfully.

Any ideas what could be causing it ? This is my current meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline' 'unsafe-eval'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';" />

I have tried adding the connect-src https: wss: too but then it doesn’t even work locally.

Dist · August 11, 2019, 9:18pm

All communication between an Extension and EBS has to be secure, hence the requirement for https or wss.

You are getting a CSP error because your EBS URL isn’t using HTTPS.

Thial · August 11, 2019, 9:25pm

Hey Dist, how would I go about using HTTPS with Heroku ? I thought it was required to use http with heroku ?

Currently my server is done this way:

const PORT = process.env.PORT || 3000;

const _httpServer = http.createServer(_credentials,_app);

_httpServer.listen(PORT, () => {
	console.log('Server is now running on port '+PORT);
});

3ventic · August 11, 2019, 9:26pm

You can just switch the http to https in your URL. You’ll notice if you try it directly in your browser, it says OK instead of giving an error.

Thial · August 11, 2019, 9:30pm

Bro… Have a like