I have a couchapp which has been hosted on Cloudant free plan for years. A few days ago it started failing: the html, css and img files load but it doesn't load any of the js. The browser console error is:
Blocked script execution in 'https://b482ecaa-1ac2-4933-bec9-ecade207eea0-bluemix.cloudant.com/wxd/_design/app/index.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
The index.html response headers include Content-Security-Policy: sandbox
I have a replica of this database on my local LAN and it does not have this problem, and its response headers do not include this.
I haven't changed the couchapp or any configuration at all, so Cloudant must have changed some configuration. I notice that Cloudant was updated to 2.96 on 10/14, which coincides with the timing, but I don't see anything in the release notes which mentions sandbox or Content-Security-Policy.
The Couchdb docs mention configuration variables related to CSP, but I can't find any way to change these configuration settings in the Cloudant dashboard, nor can I find any mention of it in the Cloudant docs.
Is this a configuration error on the part of Cloudant, and if so, are they likely to reverse it? If not, is there a way to change this configuration for my site or any other workaround?
UPDATE: I had an idea that perhaps I could override this by including a <meta http-equiv="Content-Security-Policy" tag in the document, but according to CSP documentation, sandbox is not allowed in a meta tag.
Unfortunately, CouchApps will no longer run on Cloudant. As explained in this blog post a new Content-Security-Policy: sandbox header has been added to all attachment fetches. This prevents JavaScript execution and therefore JavaSript-based CouchApps will cease to function.
The reason for the change is to mitigate this CVE.