Code included at end of Index.html

GaryGorsline · November 9, 2020, 8:30pm

And now that a CSP is being included in index.html files again, I am getting some legitimate CSP errors. But one that I’m not sure what / why AS is including this code at the end of my index.html

            <script>
            var ws = new WebSocket('ws://127.0.0.1:56210/');
            ws.addEventListener('message', function (event) {
              if (event.data === 'refresh') {
                document.location.reload(true);
              }
            });
            </script>
      </body>
</html>

The problem occurs because this code is executed after the CSP definition and my CSP does not allow the localhost on scripting. I can change the CSP to fix the error for run on desktop deploy, but what is this code? Where did it get the port number from as it’s not my deploy port number.

ghenne · November 9, 2020, 9:08pm

Are you seeing this when you Start in Desktop Browser? AppStudio starts a mini server when this happens just to run your app.

GaryGorsline · November 9, 2020, 10:22pm

Yes - Desktop Deploy. Makes sense. I hadn’t gotten to deploying on a real server yet for additional testing.

For Desktop Deploy, do I need to add a script CSP 127.0.0.1:* for this code to work appropriately, or is it aok for the browser to block it?

ghenne · November 10, 2020, 11:58am

We just uploaded AppStudio 8.4.1.2. Now, if CSP is blank, then no CSP is output when deploying locally. The only time it is supplied is if:

A CSP is supplied
Build is for VoltBuilder or Cordova, where a CSP is expected.

GaryGorsline · November 10, 2020, 2:17pm

If I (with version 8.4.1.2) specify a CSP for my project, I get the following CSP issue with Start in Desktop Browser:

Refused to connect to 'ws://127.0.0.1:59971/' because it violates the following Content Security Policy directive: "connect-src 'self' https://*.theweedwerx.com

I don’t have this host in my CSP as my app didn’t access this. This is only included, if I understand correctly, on a Start in Desktop Browser by AppStudio. And the port number is random.

I don’t care if I get this error when debugging. But if the localhost access is required by AppStudio, then I can add the localhost to the CSP.

But what bothers me is this: I don’t want to add an entry to my CSP for ws://127.0.0.1:* as that allows anyone to run the web app from a localhost (let’s make it easy for them to try to hack our data servers). The whole point of CSP is to block open access like localhost servers. (or trying to remember to change the CSP as I do the different types of deploys - not happening - this is sounding like a bigger bag of worms).

So, does AppStudio require that I get the Start in Desktop Browser CSP issue resolved? or can I just ignore the CSP issue?

But ignoring the CSP issue will disable that code, and that code is only included in Start in Desktop Browser, so is there really any point to including that code?

ghenne · November 10, 2020, 9:09pm

We’ll look at this. Ideally, no CSP should be applied when running in Start in Desktop Browser.

GaryGorsline · November 11, 2020, 12:14am

Let me think the idea of no CSP in Start in Desktop Browser through. It sounds reasonable.

GaryGorsline · November 11, 2020, 3:13pm

Even though the thought of removing any CSP during a Start in Desktop Browser sounds good, I think it’s a bad idea to have one deployment method be radically different than the others.

Currently, no matter which deployment method you choose, your CSP if specified is included in the resultant project. I can just imagine newbies trying to understand WTF happened to their CSP while they are debugging on the desktop if it was not included in that deployment method.

So I re-ask my original question: What does this code do and is it important that it be allowed to execute? in Start in Desktop Browser. I see it does a hard reload, but what is causing the event that will be triggering the reload?

            <script>
            var ws = new WebSocket('ws://127.0.0.1:56210/');
            ws.addEventListener('message', function (event) {
              if (event.data === 'refresh') {
                document.location.reload(true);
              }
            });
            </script>
      </body>
</html>

ghenne · November 11, 2020, 3:38pm

This code allows a hot reload when you start in the desktop browser. Without it, Start in Desktop Browser would need an extra step each time. Definitely confusing, especially to new users.

We’re going to try the no CSP when running in the desktop browser. Let’s see how it feels in the real world.

GaryGorsline · November 11, 2020, 4:27pm

Yes, it is messy when the CSP blocks the event.

I assume most developers do provide CSP in their projects. But, if like me, you forget about it till something happens. Then you test and wonder what is going on. Maybe inject a comment where the meta tag would normally go that the meta tag was not included as this is start in desktop browser deploy method. And obviously noted at the top of the docs/help/etc.

ghenne · November 11, 2020, 4:50pm

8.4.1.3 is now available. It does not include the CSP when running in the local browser.

Let’s see how this feels for everyone.

GaryGorsline · November 11, 2020, 5:02pm

It does not include CSP for Start in Desktop Browser NOR for Deploy to Local Folder. Oops - we went backwards.

ghenne · November 11, 2020, 8:56pm

Thanks - we’ll have a look.

GaryGorsline · November 11, 2020, 11:11pm

After more consideration, maybe this approach works:

Implement the normal Start in Desktop Browser to NOT include CSP.

Add an additional Run Menu item called Start In Desktop Browser with CSP for Testing and include the CSP. Then we can debug our CSP with the localhost. Place this menu item separately from the normal ones to avoid confusion.

PPetree · November 12, 2020, 12:41am

Didn’t there used to be a way to log csp requests via a server side script? (It was used for debugging CSP issues but I think they were going to deprecate it.)

ghenne · November 14, 2020, 7:42pm

8.4.1.4 is out.

Start in Desktop Browser does not include CSP code.
Deploy to Local Server does include CSP code.

GaryGorsline · November 14, 2020, 11:29pm

This version 8.4.1.4 is blanking out my CSP property in project properties when I do the following in AppStudio (all of the steps may not be necessary, but here’s one way):

1. Open a project without CSP defined
2. Add CSP properties (I added:   xyz   (yes it's invalid))
3. Deploy to local folder
4. Save Project
5. Press triangle to Start in Desktop Browser
6. Save Project
7. Quit AppStudio
8. Open Appstudio

At this point the CSP property in project properties is blank.

This even happens with the Project1 I uploaded earlier for CSP issues.

I know that I normally do not use the save project. I was inspecting the .project file after each save to see what was going on. This did happen to my existing project as well and I know I didn’t use the save project menu item. Just the two deploy options.

ghenne · November 15, 2020, 2:54pm

Thanks. We’ll have a look.

ghenne · November 19, 2020, 8:10am

CSP issue should be fixed in 8.4.1.5

GaryGorsline · November 19, 2020, 3:26pm

Looks good so far. I’ll be beating it up as usual and keep an eye out for it (I still have a lot of floaters and small gas bubble in my eye from all the procedures - so I really only have an eye) Trying to keep it light

Thanks for tracking this down. The docs will need some changes to reflect the SIDB missing CSP reasoning, but functionally it looks good.