Algolia and Brave browser

Brave browser has been released today version 1.0.

It seems that Algolia does not work on my site.
I get the following error:

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy............pOwoJfQp9KSgpOwo' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.


algoliasearchLite.min.js:3 POST https://********-dsn.algolia.net/1/indexes/*/queries?x-algolia-agent=Algolia%20for%20vanilla%20JavaScript%20(lite)%203.32.0%3Binstantsearch.js%20(4.0.0)%3BJS%20Helper%20(0.0.0-5a0352a)&x-algolia-application-id=954LCDMDF8&x-algolia-api-key=*************** 403
(anonymous) @ algoliasearchLite.min.js:3
s._request @ algoliasearchLite.min.js:3
r @ algoliasearchLite.min.js:2
n._jsonRequest @ algoliasearchLite.min.js:2
n.search @ algoliasearchLite.min.js:2
te._search @ instantsearch.js@^4.0.0:2
te.searchOnlyWithDerivedHelpers @ instantsearch.js@^4.0.0:2
t.search @ instantsearch.js@^4.0.0:2
value @ instantsearch.js@^4.0.0:2
(anonymous) @ app.js?v=aace9b403c:1
instantsearch.js@^4.0.0:2 Uncaught (in promise) Error: Uncaught, unspecified "error" event. ([object Object])
    at y.W.emit (instantsearch.js@^4.0.0:2)
    at te.<anonymous> (instantsearch.js@^4.0.0:2)
    at te.W.emit (instantsearch.js@^4.0.0:2)
    at te._dispatchAlgoliaError (instantsearch.js@^4.0.0:2)

On all other browsers I have no problems.

What could be the problem?

Hi @giacomosilli. Can you mention your website here so that I can take a look?

This is the site I’m working on rootlink.it

Hi @giacomosilli,

It looks like the Brave browser is not allowing the correct referer to be sent (The brave browser send “https://****-dsn.algolia.net/” and chrome is sending “https://noviello.it/”), I guess for privacy issues.

The request ending up in a 403 with an error message like “Method not allowed with this referer”.
Did you setup Refferers restrictions as pointed out in our documentation: https://www.algolia.com/doc/guides/security/security-best-practices/#http-referers-restrictions

Thanks,

If i disable the “Content-Security-Policy” header, I no longer have the error referring to the “script-src”.

But I still have the error of the POST call of the algoliasearchLite.js

algoliasearchLite.min.js:3 POST https://954lcdmdf8-dsn.algolia.net/1/indexes/*/queries?x-algolia-agent=Algolia%20for%20vanilla%20JavaScript%20(lite)%203.32.0%3Binstantsearch.js%20(4.0.0)%3BJS%20Helper%20(0.0.0-5a0352a)&x-algolia-application-id=954LCDMDF8&x-algolia-api-key=9b2f8a5367f7e21af819bfc612c1074b 403
(anonymous) @ algoliasearchLite.min.js:3
s._request @ algoliasearchLite.min.js:3
r @ algoliasearchLite.min.js:2
n._jsonRequest @ algoliasearchLite.min.js:2
n.search @ algoliasearchLite.min.js:2
te._search @ instantsearch.js@^4.0.0:2
te.searchOnlyWithDerivedHelpers @ instantsearch.js@^4.0.0:2
t.search @ instantsearch.js@^4.0.0:2
value @ instantsearch.js@^4.0.0:2
(anonymous) @ app.js?v=565eb2a28a:1
instantsearch.js@^4.0.0:2 Uncaught (in promise) Error: Uncaught, unspecified "error" event. ([object Object])
    at y.W.emit (instantsearch.js@^4.0.0:2)
    at te.<anonymous> (instantsearch.js@^4.0.0:2)
    at te.W.emit (instantsearch.js@^4.0.0:2)
    at te._dispatchAlgoliaError (instantsearch.js@^4.0.0:2)

I also tried to create a new API Key to insert all the Algolia HTTP Referers (the default API key cannot be modified), but the problem persists.

Hi @giacomosilli, when I try to reproduce this error with a curl,

curl -X POST \
     -H "X-Algolia-API-Key: 9b2f8a5367f7e21af819bfc612c1074b" \
     -H "X-Algolia-Application-Id: 954LCDMDF8" \
     --data-binary '{ "requests": [{ "indexName": “ghost_prod”, "params": “query= “ }],"strategy": "none"}' \
    "https://954LCDMDF8-dsn.algolia.net/1/indexes/*/queries"

I get the same error message. This leads me to believe you might have put in a refer restriction on the key to that as outlined here: https://www.algolia.com/doc/api-reference/api-methods/add-api-key/#create-api-key-with-advanced-restrictions and as @clement.denoix pointed out.

If you create a search key without any refers does the same error happen? Could you share what exactly you set as the refers?

Yes, it is an HTTP referers problem.

I created a new API Key with *algolia.com/*, *algolia.net/* in HTTP Referers.

Now Algolia is working properly. I don’t understand why only Brave Browser give this problem.
On the other browsers I didn’t have to add Algolia as a reference in the Key.

Anyway I still have the headers problem.

I added in the header Content-Security-Policy
connect-src algolia.net algolianet.com algolia.com 954lcdmdf8-dsn.algolia.net (<- without this it does not work, I hope it’s not dynamic)

also in script-src and script-src-elm I added them.

Algolia works, but there is some problem in the headers. I replied here everything

Refused to load the script 'data:application/javascript;base64,KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vYW5hbHl0aWNzL2Rldmd1aWRlcy9jb2xsZWN0aW9uL2FuYWx5dGljc2pzLwoJdmFyIG5vb3BmbiA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgbm9vcG51bGxmbiA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBudWxsOwoJfTsKCS8vCgl2YXIgVHJhY2tlciA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgcCA9IFRyYWNrZXIucHJvdG90eXBlOwoJcC5nZXQgPSBub29wZm47CglwLnNldCA9IG5vb3BmbjsKCXAuc2VuZCA9IG5vb3BmbjsKCS8vCgl2YXIgdyA9IHdpbmRvdywKCQlnYU5hbWUgPSB3Lkdvb2dsZUFuYWx5dGljc09iamVjdCB8fCAn...TsKCWdhLmdldEJ5TmFtZSA9IG5vb3BudWxsZm47CglnYS5nZXRBbGwgPSBmdW5jdGlvbigpIHsKCQlyZXR1cm4gW107Cgl9OwoJZ2EucmVtb3ZlID0gbm9vcGZuOwoJLy8gaHR0cHM6Ly9naXRodWIuY29tL3VCbG9ja09yaWdpbi91QXNzZXRzL2lzc3Vlcy8yMTA3CglnYS5sb2FkZWQgPSB0cnVlOwoJd1tnYU5hbWVdID0gZ2E7CgkvLyBodHRwczovL2dpdGh1Yi5jb20vZ29yaGlsbC91QmxvY2svaXNzdWVzLzMwNzUKCXZhciBkbCA9IHcuZGF0YUxheWVyOwoJaWYgKCBkbCBpbnN0YW5jZW9mIE9iamVjdCAmJiBkbC5oaWRlIGluc3RhbmNlb2YgT2JqZWN0ICYmIHR5cGVvZiBkbC5oaWRlLmVuZCA9PT0gJ2Z1bmN0aW9uJyApIHsKCQlkbC5oaWRlLmVuZCgpOwoJfQp9KSgpOwo' because it violates the following Content Security Policy directive.........

EDIT
I think there’s a bug somewhere. I didn’t change anything. Headers are all disabled.
And the API Key has these HTTP Referers:

*algolia.com/*, *algolia.net/*

Now I have also tried to remove all the Restrictions from the API Key

I have this problem again:

algoliasearchLite.min.js:3 POST https://954lcdmdf8-dsn.algolia.net/1/indexes/*/queries?x-algolia-agent=Algolia%20for%20vanilla%20JavaScript%20(lite)%203.32.0%3Binstantsearch.js%20(4.0.0)%3BJS%20Helper%20(0.0.0-5a0352a)&x-algolia-application-id=954LCDMDF8&x-algolia-api-key=9b2f8a5367f7e21af819bfc612c1074b 403
(anonymous) @ algoliasearchLite.min.js:3
s._request @ algoliasearchLite.min.js:3
r @ algoliasearchLite.min.js:2
n._jsonRequest @ algoliasearchLite.min.js:2
n.search @ algoliasearchLite.min.js:2
te._search @ instantsearch.js@^4.0.0:2
te.searchOnlyWithDerivedHelpers @ instantsearch.js@^4.0.0:2
t.search @ instantsearch.js@^4.0.0:2
value @ instantsearch.js@^4.0.0:2
(anonymous) @ app.js?v=4cd428d731:101
instantsearch.js@^4.0.0:2 Uncaught (in promise) Error: Uncaught, unspecified "error" event. ([object Object])
    at y.W.emit (instantsearch.js@^4.0.0:2)
    at te.<anonymous> (instantsearch.js@^4.0.0:2)
    at te.W.emit (instantsearch.js@^4.0.0:2)
    at te._dispatchAlgoliaError (instantsearch.js@^4.0.0:2)

Summary of the current situation:

rootlink.it

New API KEY , no HTTP Refereres.
All Headers disabled in Nginx.

Error in Brave:

algoliasearchLite.min.js:3 POST https://954lcdmdf8-dsn.algolia.net/1/indexes/*/queries?x-algolia-agent=Algolia%20for%20vanilla%20JavaScript%20(lite)%203.32.0%3Binstantsearch.js%20(4.0.0)%3BJS%20Helper%20(0.0.0-5a0352a)&x-algolia-application-id=954LCDMDF8&x-algolia-api-key=9b2f8a5367f7e21af819bfc612c1074b 403
(anonymous) @ algoliasearchLite.min.js:3
s._request @ algoliasearchLite.min.js:3
r @ algoliasearchLite.min.js:2
n._jsonRequest @ algoliasearchLite.min.js:2
n.search @ algoliasearchLite.min.js:2
te._search @ instantsearch.js@^4.0.0:2
te.searchOnlyWithDerivedHelpers @ instantsearch.js@^4.0.0:2
t.search @ instantsearch.js@^4.0.0:2
value @ instantsearch.js@^4.0.0:2
(anonymous) @ app.js?v=3f1f5b6a8b:101
instantsearch.js@^4.0.0:2 Uncaught (in promise) Error: Uncaught, unspecified "error" event. ([object Object])
    at y.W.emit (instantsearch.js@^4.0.0:2)
    at te.<anonymous> (instantsearch.js@^4.0.0:2)
    at te.W.emit (instantsearch.js@^4.0.0:2)
    at te._dispatchAlgoliaError (instantsearch.js@^4.0.0:2)

Hi Giacomo,

As you can see going to another search page powered by Algolia (e.g. https://www.algolia.com/search/ ), there’s no incompatibility with the Brave browser and Algolia.

In your latest code example, this is not a new API key, it’s still (9b2f8a5367f7e21af819bfc612c1074b), and testing on your website shows that you still have the same error about an Invalid Referer.

I hope it’s not dynamic

Your CSP is good, and there’s no issue putting the App ID in there, as this is constant.

Refused to load the script

The script it failed to load is not linked to Algolia, but google analytics.

Now I have also tried to remove all the Restrictions from the API Key

There’s no mention of algolia.net in the referers you’ve set for this application, I think you’re not modifying the right one.

I was still testing, I stuck the wrong error.

Nice to know.

I didn’t understand this, I will investigate about this thing.

Looks like it’s ok now, I’m just having problems with the Headers.

Although they can be retrieved publicly, I kindly request the removal of my Referers and domain names not posted by me, because I am not the owner of the site, and not the owner of the account algolia

Anyway I set a password to log in to rootlink.it “brave” if you still want to log in.

I will edit the Headers correctly and let you know if the problem is solved to close the topic. Thanks

Please keep us updated.
I’ve removed the headers from my message, but you should know you should consider those as public information, the same way domains listed in a CSP are also publicly exposed.

script it failed to load is not linked to Algolia, but google analytics.

I didn’t understand this, I will investigate about this thing.

Here’s what happens if you decode the base64 of this string (I took only the beginning)

atob('KGZ1bmN0aW9uKCkgewoJLy8gaHR0cHM6Ly9kZXZlbG9wZXJzLmdvb2dsZS5jb20vYW5hbHl0aWNzL2Rldmd1aWRlcy9jb2xsZWN0aW9uL2FuYWx5dGljc2pzLwoJdmFyIG5vb3BmbiA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgbm9vcG51bGxmbiA9IGZ1bmN0aW9uKCkgewoJCXJldHVybiBudWxsOwoJfTsKCS8vCgl2YXIgVHJhY2tlciA9IGZ1bmN0aW9uKCkgewoJCTsKCX07Cgl2YXIgcCA9IFRyYWNrZXIucHJvdG90eXBlOwoJcC5nZXQgPSBub29wZm47CglwLnNldCA9IG5vb3BmbjsKCXAuc2VuZCA9IG5vb3BmbjsKCS8vCgl2')
> "(function() {
	// https://developers.google.com/analytics/devguides/collection/analyticsjs/
	var noopfn = function() {
		;
	};
	var noopnullfn = function() {
		return null;
	};
	//
	var Tracker = function() {
		;
	};
	var p = Tracker.prototype;"

As you can see, this is google analytics related code.

I know, I asked you for a courtesy, thanks.

I saw the same thing when you pointed out the error, I decrypted the code and it is clearly referring to google analytics.

In summary, for the Brave browser I had to add the Algolia domains in the HTTP Referes. Nothing else.

We can close the topic.

Thanks for your help.