Meteor BrowserPolicy enable 'blob:' origins

Question

I have enabled Content Security Policy meteor package meteor/browser-policy-common

Now I'm getting this error from ostrio:files related to CSP

Refused to create a worker from 'blob:http://localhost:3000/ef628f55-736b-4b36-a32d-b1056adfaa8c' because it violates the following Content Security Policy directive: "default-src 'self' http://fonts.googleapis.com https://fonts.googleapis.com http://fonts.gstatic.com https://fonts.gstatic.com http://code.ionicframework.com https://code.ionicframework.com". Note that 'worker-src' was not explicitly set, so 'default-src' is used as a fallback.

My actual browser-policy-common config looks like this

import { BrowserPolicy } from 'meteor/browser-policy-common';
// e.g., BrowserPolicy.content.allowOriginForAll( 's3.amazonaws.com' );
// BrowserPolicy.content.allowFontOrigin("data:");

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.allowFontDataUrl();

const trusted = [
  'fonts.googleapis.com',
  'fonts.gstatic.com',
  'code.ionicframework.com',
];

_.each(trusted, (origin) => {
  BrowserPolicy.content.allowOriginForAll(origin);
});

Can you tell me which config should I change to allow ostrio:files blob:http://localhost:3000/... to work?

Thanks a lot!

Answer 1

To allow blob: origins, you can add this:

BrowserPolicy.content.allowOriginForAll('blob:');

Meteor doesn’t provide a mechanism for more specifically allowing blob: just for worker-src.