Pup

v2.x

ExtrasBrowser Policy

When it comes to running a product in production, a common issue to deal with are things like script injection and cross site scripting (XSS) attacks. Fortunately, because these are so common, the team behind Meteor—the JavaScript platform Pup is built on top of—took the time to write a package called Browser Policy.

This package helps us to define rules that define what content can be loaded into the client side of our application. The purpose being to block malicious content from being loaded and targeted against your users.

/startup/server/browserPolicy.js
import { BrowserPolicy } from 'meteor/browser-policy-common';

// Bootstrap
BrowserPolicy.content.allowOriginForAll('*.bootstrapcdn.com');

// FontAwesome
BrowserPolicy.content.allowOriginForAll('use.fontawesome.com');

// GraphQL Playground
BrowserPolicy.content.allowOriginForAll('graphcool-playground.netlify.com');
BrowserPolicy.content.allowOriginForAll('cdn.jsdelivr.net');

// Replace these with your own content URLs
BrowserPolicy.content.allowOriginForAll('cleverbeagle-assets.s3.amazonaws.com');
BrowserPolicy.content.allowOriginForAll('s3-us-west-2.amazonaws.com');
BrowserPolicy.content.allowFontOrigin('data:');