OT is not defined about opentok-react HOT 12 CLOSED

Hi @aiham,

Thank you very much for your precious help. Actually I was getting this error because I was using package: browser-policy, you've put me in the right track.

I simply need to add this to my code:

Meteor.startup( () => {
  BrowserPolicy.content.allowInlineScripts('static.opentok.com');
  BrowserPolicy.content.allowOriginForAll('static.opentok.com');
})

Here's an article talking about it: Using the Browser Policy Package

Thank you again for your help.

from opentok-react.

@alveshelio Thanks for using opentok-react!

You would get OT is not defined if you haven't included opentok.js before your application. Have you followed the following instruction from the README:

Include opentok.js before your application:
<script src="//static.opentok.com/v2/js/opentok.min.js"></script>

If you have done that, maybe you can give me more information about your setup because nothing else comes to mind.

from opentok-react.

Hi @aiham,

I had not added this script.
I'm not sure about this one:

Include opentok.js before your application:

<script src="//static.opentok.com/v2/js/opentok.min.js"></script>

I've added <script src="//static.opentok.com/v2/js/opentok.min.js"></script> to my main.html file, this is what I have:

<body>
  <div id="react-root"></div>
  <script src="//static.opentok.com/v2/js/opentok.min.js"></script>
</body>

Because the tutorial says, include opentok.js before your application and I've checked your example and you are indeed loading this before the bundle.js file. However, I'm using Meteor and in my html file I do not have the bundle.js file that is called.

When I add <script src="//static.opentok.com/v2/js/opentok.min.js"></script> right before the tag, I get this error:
Refused to load the script 'http://static.opentok.com/v2/js/opentok.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

from opentok-react.

@alveshelio I just deleted my previous comment, I believe it's wrong.

I think you should load opentok.js using https:

<script src="https://static.opentok.com/v2/js/opentok.min.js"></script>

I will update the README now.

from opentok-react.

Hi @aiham,

Unfortunately with both methods:
meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' static.opentok.com"
and

I'm still getting the same error.

I've tried on Chrome, Firefox and Safary and I have the same error in all three.

from opentok-react.

@alveshelio What if you try adding the following before </head>:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' static.opentok.com">

This is setting a Content Security Policy which trusts static.opentok.com. See:

• https://content-security-policy.com/
• https://www.html5rocks.com/en/tutorials/security/content-security-policy/

I suspect Meteor is setting a Content Security Policy which only trusts the same origin. Can you open your page with the dev tools open, navigate to the Network tab and click on the request which loads the HTML page. Can you see if there is a response header called Content-Security-Policy there?

from opentok-react.

so I've added
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' static.opentok.com">

and checked the Network tab, in "XHR" I don't see anything related to Content-Security-Policy, in "Other" i see "opentok.min.js" withs Status "(blocked:scp)"

from opentok-react.

@alveshelio The CSP header will be in the network request for the HTML page itself, not XHR. Open the network tab and press refresh, it should be the first request in the list.

from opentok-react.

I don't see any SCP at the top, here's what I have: http://prntscr.com/e8fn9l

The request to opentok.min.js comes almost at the end, check here: http://prntscr.com/e8fmzp,

from opentok-react.

@alveshelio What about before Clipper.js? There must be a HTML page that loads first. You need to press refresh after you open the dev tools

from opentok-react.

Also, the Content Security Policy is shown once you click on the request, under the Response Headers section:

from opentok-react.

I haven't got much experience with Meteor so I can't say for sure, but it's probably adding the CSP header. You will likely need to add static.opentok.com to the list of trusted domains for static content. There is likely a module to help you with this: https://blog.meteor.com/defense-in-depth-securing-meteor-apps-with-content-security-policy-8fd5ffa503ee

from opentok-react.