Added:
Header add Content-Security-Policy "default-src 'self'"
Stopped and started the server and indeed, blocked:
CSP14312: Resource violated directive 'default-src 'self'' in Content-Security-Policy: http://localhost:8100/auth. Resource will be blocked.
Took that CSP line out again, stopped and started and was allowed to approach Safe Launcher again. This was in Edge 14 (Microsoft Edge 38.14393.0.0)
Odd, default-src 'self' is already in the proxy.
Just to clarify, the setup is: you are hosting a file (the one you posted), which has an iframe to a file hosted on safenet/served through the safenet proxy?
Wait. That doesnāt appear to be the case though. Only that second file (from within the iframe) is then going through the launcher, am I correct? Well in that case, thatās the first place the CSP is currently returned and thus the other pages before arenāt protected by it. Itās rather odd that FF and Chrome block here, they shouldnāt.
But that isnāt realistic conditions: on safenetwork also your initial html and the iframed-html page would be served with CSP headers, thus eliminating the problem you are talking about. This only happens in the specific development setup you are having at the moment.
Either way, I feel even stronger about streamlining this now. The pages of your local system should be served with the same CSP-headers to create realistic conditions and avoid finding out about problems like these only after you deployed.
I agree, but also with the option to turn CSP off with a debug setting, not something directed at everyday users (like the difficult to access CORS control variable in Firefox etc.)
Iām now trying to locally run a safe web app and Iām running into this issue with launcher v0.10.0.
I tried with a local launcher as well, with ānpm run devā but it still doesnāt work. Is there a way to overcome this with the launcher? or what are my options?
Iām using safe-js, and either with or without the polyfill I see the same result.
CSP is disabled on latest launchers, because there is no proxy anymore.
I think there might be a different problem, but it gets exposed as an āCSPā problem - dunno why, but the browser does that sometimes. Take a close look to the actual error message in the object in the console and the http request.
Just to check: have you ādisabled web security on new tabsā and opened a new tab?
If not that would cause this.
EDIT: Oh, youāll need to be running a local Beaker too, with NODE_ENV=devel or you wonāt get that menu option!
Thanks a lot @ben and @happybeing!
It worked after ādisabling the web security for new tabsā as suggested by @happybeing (Iām sorry I wasnāt aware of this option 
). Although, I was able to do it with an AppImage of Beaker (v0.4.0-5).
Although, I was able to do it with an AppImage of Beaker (v0.4.0-5).
That sounds like a bug! @joshuef?
Huh? Iām confusedā¦ It works or?
If not, please try with the latest version (0.4.2 stable) Releases Ā· joshuef/beaker Ā· GitHub , dev mode with NODE_ENV=development as @happybeing noted.
Let me know how you get on!
My understanding is that @happybeing was suggesting this option shouldnāt be available when running the AppImage but only if you build it with NODE_ENV=devel.
Aha. Yes that makes sense 
Totally read this wrong.
@happybeing this is only available with the AppImage? Or all linux builds?
Iāve been using the AppImage v0.4.0-5 x64 only, and it works, i.e. Iām able to use safe-js polyfill to connect to the Launcher, running my app locally with nodejs.
As an aside comment, for those devs out there, I also managed to do the same running my app within Electron.