Page is blank because scripts are blocked by browser security about feathers-chat HOT 8 CLOSED

I am not able to reproduce this in any browser and am hearing about this for the first time. This must be some setting in your browser content policies, a browser plugin you enabled or a proxy server that strips out the allow-origin header that is causing this.

from feathers-chat.

Some plugin blocking the script I would expect from Firefox, but I don't usually use Chromium, and I don't have anything strange installed.

Also tried Epiphany (or Gnome Web), and got something similar

[Error] Refused to load https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.12.0/moment.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://unpkg.com/@feathersjs/client@^4.3.0/dist/feathers.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Failed to load resource: Error performing TLS handshake: An unexpected TLS packet was received. (base.css, line 0)
[Error] Failed to load resource: Error performing TLS handshake: An unexpected TLS packet was received. (chat.css, line 0)
[Error] Failed to load resource: Error performing TLS handshake: An unexpected TLS packet was received. (socket.io.js, line 0)
[Error] Failed to load resource: Error performing TLS handshake: An unexpected TLS packet was received. (client.js, line 0)
[Error] Failed to load resource: Error performing TLS handshake: An unexpected TLS packet was received. (favicon.ico, line 0)

So, I tried three different browsers with three different engines, more or less same issue.

On the other hand, this seems to happen only to me :|

from feathers-chat.

And the address of the socket.io plugin gives me 404

https://socket.io/socket.io.js

from feathers-chat.

The script address is http://localhost:3030/socket.io/socket.io.js. Aside from that, I'm not sure if we can help you here. This looks like a problem very specific to your system (looking at the SSL error your OpenSSL configuration may be borked). I'd recommend to try it on a different operating system in a VM to see if it persists.

from feathers-chat.

from feathers-chat.

i have the same issue here. any solutions?

from feathers-chat.

You can add

app.use((req, res, next) => {
  res.header('Content-Security-Policy', 'script-src 'self' unpkg.com cdnjs.cloudflare.com');
  next();
});

To src/app.js.

What I don't understand is why setting the equivalent meta tag in public/index.html does not seem to work:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' unpkg.com cdnjs.cloudflare.com">

Content security policies are a complicated not really Feathers specific topic. More info can be found at content-security-policy.com and MDN documentation (both did not answer the question why my meta tag does not work though).

from feathers-chat.

Ok, figured it out, it was the new version of helmet. In your src/app.js|ts change

app.use(helmet());

To

app.use(helmet({
  contentSecurityPolicy: false
}));

This will no longer happen in a newly generated application.

from feathers-chat.