Content-Security-Policy

So I have a glitch project that I’m trying to connect to a mongoDB and it’s generating an error:

analytics.min.js:9 Refused to load the script 'https://cdn.amplitude.com/libs/amplitude-5.2.2-min.gz.js' because it violates the following Content Security Policy directive: "script-src 'self'

      https://apis.google.com
      https://cdnjs.cloudflare.com
      https://cdn.segment.com
      https://ajax.googleapis.com
      https://*.woopra.com
      [...]

      http://www.luckyorange.com https://ssl.luckyorange.com https://d10lpsik1i8c69.cloudfront.net". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

It looks like a meta tag was added to my project’s header that included this content security policy… I couldn’t find it in any of the source files, so I created a new project just to test, and sure enough the same meta tag was there, leading me to believe that glitch automatically adds this in to all projects. Is there anyway to modify this behavior? If not, can anyone take a look at my project linked above and suggest a workaround?

Hi @TaraBryn,

So you are seeing these errors on the browser console while in the Glitch editor? These indicate possible issues with the editor itself, probably in conjunction with the security settings on the browser, and likely don’t stop it working well enough to edit your project.

What you should be focusing on is the server Log inside the editor, get to it via the Tools button at the bottom of the editor page.

The browser console logs are more useful for when running the client side of your project, i.e. myproject.glitch.me

Are you getting any connection errors to MongoDB?

1 Like

Do you think it’s an error? It seems like it might be a safety setting from Glitch itself?

@mishavee @househaunt It turns out that it’s an issue with all glitch projects…I tested it and that meta tag is added to all projects, and the errors occur for all projects as well .

I originally posted a question about this to stack overflow before coming here b/c I didn’t initially think it was an issue with glitch itself, and the person who responded helped me to discover the tag in the first place. He tested it on his end, and it’s doing the same thing, so it looks like it’s just an issue with the way that glitch deploys the projects? In any case, I’m back to square one with why my DB isn’t connecting. Thank you though.

1 Like

If you show the errors you are getting, we can help further.

There are a few areas that need to be correct to get the connection to work. I’ll assume you are using Atlas …

  • Whitelist allow connection from any IP address

  • Connection string generated by Atlas, placed in .env similar to the following, note the “test” database, no weird characters in username or password, and quotes around the whole value …

MONGO_URI='mongodb+srv://username:password@cluster0-host.mongodb.net/test?retryWrites=true&w=majority'
  • Remove two warnings with …
mongoose.connect(process.env.MONGO_URI, {useNewUrlParser: true, useUnifiedTopology: true});
1 Like

@mishavee thank you! I figured out the useNewUrlParser and useUnifiedTopology on my own based on the errors, the issue I was having is adding the allow access from anywhere to the whitelist. I just happened to stumble across something right now that helped me with that. Although, it seems to defeat that particular security feature to allow access from anywhere. Is there a list of IPs glitch uses to make it more secure?

The IPs can change every time your project restarts, and the ranges aren’t easy to pin down, Cori wrote more on this …

Sounds like you got the connection working? That’d be great :slight_smile:

1 Like

@mishavee Sorry for the delayed response, yet I did. Thanks!

1 Like