In trying to configure my server for the CSP headers, I'd like to be able to run the ember csp-headers command to populate an environment variable with the correct header value.

However, because of the information text included at the beginning of the command output, I cannot use this output directly.

I believe a simple option, such as raw or direct when flagged to true, will simply output the policy result.

Setting contentSecurityPolicy: {'script-src': "'self'"} on an Ember-CLI app causes a CSP violation, if that app is accessed on Windows (maybe also other OS) via latest stable Firefox with Ember Inspector addon installed. Here are the steps to reproduce:

• On Windows (7) generate a new Ember app (latest ember-cli) and start: ember serve --host localhost
• Add contentSecurityPolicy: {'script-src': "'self'"} to your environment.js
• On latest stable Firefox install addon Ember Inspector (make sure that its tab appears at the inspector pane)
• browse to http://localhost:4200/
• you will get the CSP report. If not, click the reload button

I know that adding contentSecurityPolicy: {'script-src': "'self'"} to environment.js doesn't really make sense, because that's the default setting anyway. But nevertheless I think that CSP violation shouldn't occur. By the way, it doesn't happen with Chrome + Ember Inspector. Here is the CSP report:

{"csp-report":{
  "blocked-uri":"self",
  "document-uri":"http://localhost:4200/",
  "line-number":58,
  "original-policy":
    "script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729; 
     default-src 'none'; 
     font-src http://localhost:4200; 
     connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report; 
     img-src http://localhost:4200; 
     style-src http://localhost:4200; 
     media-src http://localhost:4200; 
     report-uri http://localhost:4200/csp-report",
  "referrer":"",
  "script-sample":"call to eval() or related function blocked by CSP",
  "source-file":"resource://gre/modules/commonjs/toolkit/loader.js ->
                 resource://gre/modules/commonjs/sdk/loader/sandbox.js ->
                 resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js",
  "violated-directive":"script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729"
}}

If I remove contentSecurityPolicy: {'script-src': "'self'"}, the CSP violation doesn't occur any longer.

[email protected] is one of the dependency and has [email protected] as its dependency.Please update ember-cli-babel to reflect the update, as [email protected] has a well known serious RegExp flaw.

I'm not sure what it's like in other browsers, but Chrome's console looks like someone slaughtered a small goat when you try to add something like this to the source:

<object class="header-icon" data="images/my-svg-image.svg" width="40"  height="23" type="image/svg+xml"></object>

Looks like object-src and frame-src should also be set to self.

WIth a simple project ember seems to crash when url is visited. I really don't know the reason for this this is the error I get. Thanks!

 client   | Error: connect EHOSTUNREACH
 client   |     at errnoException (net.js:904:11)
 client   |     at connect (net.js:766:19)
 client   |     at net.js:845:9
 client   |     at asyncCallback (dns.js:68:16)
 client   |     at Object.onanswer [as oncomplete] (dns.js:121:9)

I am running ember-cli-content-security-policy 0.4.0.

Just copy-pasted your example to my environment.js:

ENV.contentSecurityPolicy = {
  'default-src': "'none'",
  'script-src': ["'self'", "https://cdn.mxpnl.com"], // Allow scripts from https://cdn.mxpnl.com
  'font-src': ["'self'", "http://fonts.gstatic.com"], // Allow fonts to be loaded from http://fonts.gstatic.com
  'connect-src': ["'self'", "https://api.mixpanel.com", "http://custom-api.local"], // Allow data (ajax/websocket) from api.mixpanel.com and custom-api.local
  'img-src': "'self'",
  'style-src': ["'self'", "'unsafe-inline'", "http://fonts.googleapis.com"], // Allow inline styles and loaded CSS from http://fonts.googleapis.com
  'media-src': null // `media-src` will be omitted from policy, browser will fallback to default-src for media resources.
}

My headers are then:

Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self',https://cdn.mxpnl.com,e,l,f,', ,',u,n,s,a,f,e,-,e,v,a,l,' localhost:49152 0.0.0.0:49152; font-src 'self',http://fonts.gstatic.com,e,l,f,'; connect-src 'self',https://api.mixpanel.com,http://custom-api.local,l,f,' ws://localhost:49152 ws://0.0.0.0:49152 http://undefined:16013/csp-report; img-src 'self'; style-src 'self','unsafe-inline',http://fonts.googleapis.com,l,f,'; media-src null; report-uri http://undefined:16013/csp-report;

Please note the:

,e,l,f,', ,',u,n,s,a,f,e,-,e,v,a,l,'

part, and other strange parts. It seems that the post-processing that is being performed on the user-configured csp (ot add livereload, etc) is breaking things.

The http-equiv will always be Content-Security-Policy.

The report-uri fix that is currently on master seems to only partially work.

When adding SVG images to the page via an object tag:

<object class="header-icon" data="images/my-svg-image.svg" width="40"  height="23" type="image/svg+xml"></object>

the following error is shown in console:

The Content Security Policy 'default-src 'none'; connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729; font-src 'self' https://fonts.gstatic.com; frame-src 'self'; img-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' localhost:35729 0.0.0.0:35729; style-src 'self' http://fonts.googleapis.com https://fonts.googleapis.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.

The source line for that error is:

images/my-svg-image.svg:1

This addon is outdated with the recent Ember versions

[email protected]:
  version "0.5.0"
  resolved "https://registry.yarnpkg.com/ember-cli-content-security-policy/-/ember-cli-content-security-policy-0.5.0.tgz#059ce3157bcdab65c29b1d26c31682410293f1c4"
  dependencies:
    body-parser "^1.12.3"
    chalk "^1.0.0"
    ember-cli-babel "^5.0.0"

$> ember -v

ember-cli: 2.14.1
node: 8.2.1
os: darwin x64

Normal request:
Request Method:GET
Status Code:200 OK

Response:
Access-Control-Allow-Origin: http://localhost:4300

404 request:
Request Method:GET
Status Code:404 Not Found

(no Access-Control-Allow-Origin here)

This makes it hard to debug 404 pages when developing locally. Any ideas on how to fix this?

Hi, I've just updated to ember-cli 0.1.1 which includes this addon. Now I'm getting tons of reports as I'm using both Google Fonts and the YouTube iframe API. How should I handle these? Thank you very much.

GET http://localhost:35729/livereload.js?snipver=1 net::ERR_NETWORK_ACCESS_DENIED

[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' https://www.youtube.com/iframe_api localhost:35729".

[Report Only] Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=PT+Sans:400,700,400italic' because it violates the following Content Security Policy directive: "style-src 'self'".

[Report Only] Refused to load the font 'http://fonts.gstatic.com/s/ptsans/v7/fhNmDCnjccoUYyU4ZASaLQLUuEpTyoUstqEm5AMlJo4.woff2' because it violates the following Content Security Policy directive: "font-src 'self'".

I attempted to edit the ENV.contentSecurityPolicy inside config/environment.js as this:

contentSecurityPolicy: {
      'default-src': "'none'",
      'script-src': "'self' https://www.youtube.com/iframe_api",
      'font-src': "'self'; fonts.googleapis.com; http://fonts.gstatic.com",
      'connect-src': "'self'",
      'img-src': "'self'",
      'style-src': "'self'"
    }

I'm writing an app that uses WebRTC, which I need to serve it via valid HTTPS and I'm using ngrok for this. Currently when loading my app through ngrok domain, I'm getting:

Mixed Content: The page at 'https://xxxxxx.ngrok.io/' was loaded over HTTPS, but requested an insecure hyperlink auditing endpoint 'http://0.0.0.0:4200/csp-report'. This request has been blocked; the content must be served over HTTPS.

It looks like it can be easily fixed by adding req.hostname to a list of hosts here.

Using the Inspector on Firefox causes a CSP violation. This might be related to #38. I already applied ZebraFlesh@b851c05, but that does only concern script-src. Steps to reproduce:

• On Windows (7) generate a new Ember app (latest ember-cli) and start: ember serve --host localhost
• With latest stable Firefox browse to http://localhost:4200/
• Open the inspector and play around with the selector and page elements
• you will get CSP reports. They might not be shown in the console, but they'll appear in the network tab and in the console output of ember serve
  The CSP reports will be similar to:

{"csp-report":{
  "blocked-uri":"self",
  "document-uri":"http://localhost:4200/",
  "original-policy":
    "default-src 'none'; 
     script-src http://localhost:4200 'unsafe-eval' http://localhost:35729 http://0.0.0.0:35729; 
     font-src http://localhost:4200; 
     connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report; 
     img-src http://localhost:4200; 
     style-src http://localhost:4200; 
     media-src http://localhost:4200; 
     report-uri http://localhost:4200/csp-report",
  "referrer":"",
  "script-sample":"width:100%;height:100%;",
  "source-file":"http://localhost:4200/",
  "violated-directive":"style-src http://localhost:4200"
}}

I am using ember-cli version 0.1.2 and "ember-cli-content-security-policy": "0.3.0".

I am trying to use stripe but everytime I submit a request to stripe and get a response, Ember-cli will yell at me with:

 [Report Only] Refused to load the script 'https://api.stripe.com/v1/tokens?card[number]=76&card[cvc]=90&card[exp_mont…pk_test_omMgQGUbGqdvwpHDg2L2crpm&callback=sjsonp1416392279257&_method=POST' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729".

my config.js has:

   contentSecurityPolicy: {
    'default-src': "'none'",
    'script-src': "'self' 'unsafe-eval' http://*:35729 https://api.stripe.com/v1 ",
    'font-src': "'self'",
    'connect-src': "'self' http://*:35729 https://api.stripe.com",
    'img-src': "'self'",
    'style-src': "'self'",
    'media-src': "'self'"
  }

What else do I need to get this working

During normal local development, the report-uri is computed as http://0.0.0.0:4200/csp-report. On unix based systems (including OS X), this is not a problem and the 0.0.0.0 is properly resolved to localhost or some equivalent. On Windows, the POST fails completely and CSP report is never logged to the console. Windows just doesn't like this address.

Using the latest revision (0.1.2) results in the following browser console errors and the application (foo4) failing to load:

Refused to load the stylesheet 'http://localhost:4200/assets/vendor.css' because it violates the following Content Security Policy directive: "style-src self".
 localhost/:13
Refused to load the stylesheet 'http://localhost:4200/assets/foo4.css' because it violates the following Content Security Policy directive: "style-src self".
 localhost/:14
Refused to load the script 'http://localhost:4200/assets/vendor.js' because it violates the following Content Security Policy directive: "script-src self".
 localhost/:1
Refused to load the script 'http://localhost:4200/assets/foo4.js' because it violates the following Content Security Policy directive: "script-src self".
 localhost/:1
Refused to connect to 'ws://127.0.0.1:35729/livereload' because it violates the following Content Security Policy directive: "connect-src self localhost:35729".
 livereload.js?ext=Chrome&extver=2.0.9:193
Uncaught SecurityError: Failed to construct 'WebSocket': Refused to connect to 'ws://127.0.0.1:35729/livereload' because it violates the document's Content Security Policy. livereload.js?ext=Chrome&extver=2.0.9:193

The actual headers reported by the browser are as follows:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Security-Policy: ; default-src none; ; script-src self; ; connect-src self localhost:35729; ; img-src self; ; style-src self;
X-Content-Security-Policy: ; default-src none; ; script-src self; ; connect-src self localhost:35729; ; img-src self; ; style-src self;
Last-Modified: Tue, 30 Sep 2014 08:04:31 GMT
Cache-Control: private, max-age=0, must-revalidate
Content-Length: 1100
Content-Type: text/html; charset=UTF-8
Date: Tue, 30 Sep 2014 08:04:37 GMT
Connection: keep-alive

The configuration of this addon doesn't feel inline with the rest of the ecosystem. This gets even worse if new configuration option are needed as it's the case for #91.

I like to suggest to refactor the configuration API as the following:

ENV['ember-cli-content-security-policy'] = {
  enabled: true,
  metaTag: false,
  policies: {
    'default-src': ["'none'"],
    'script-src':  ["'self'"],
    'font-src':    ["'self'"],
    'connect-src': ["'self'"],
    'img-src':     ["'self'"],
    'style-src':   ["'self'"],
    'media-src':   ["'self'"]
  },
  reportOnly: true,
}

The values shown above are suggested defaults.

For a transition period we might want to support existing configuration API. In that case the defaults would look like:

ENV['ember-cli-content-security-policy'] = {
  enabled: true,
  metaTag: ENV.contentSecurityPoliyMeta,
  policies: ENV.contentSecurityPolicy || {
    'default-src': ["'none'"],
    'script-src':  ["'self'"],
    'font-src':    ["'self'"],
    'connect-src': ["'self'"],
    'img-src':     ["'self'"],
    'style-src':   ["'self'"],
    'media-src':   ["'self'"]
  },
  reportOnly: ENV.contentSecurityPolicyHeader === 'Content-Security-Policy-Report-Only',
}

If we consider disabling the addon by setting ENV.contentSecurityPolicy === {} as a public API as suggested in #77, we might want to change the default for enabled to !ENV.contentSecurityPolicy || Object.keys(ENV.contentSecurityPolicy).length !== 0. We should deprecate the old configuration API at the same time. In that case this wouldn't be a breaking change but add some additional maintenance costs.

Please note that this API wouldn't require a change for #91. It would allow to disable throwing in tests by setting enabled = environment !== 'test'. metaTag option would be forced to true if running tests.

Can you do a version bump so the report-uri fix is in a tag? My console is complaining at me ;)

We are working on automating our CSP generation during deployment and ran into a couple of small usability issues that I wanted to report to see what your take is on this kind of thing.

1. Since the ember csp-headers command writes the CSP to stderr, we end up having to strip out any potential deprecation warnings from the output in order to get a valid CSP extracted:

Sample output:

$ ember csp-headers
DEPRECATION: Overriding init without calling this._super is deprecated. Please call `this._super.init && this._super.init.apply(this, arguments);` addon: `ember-data`
    at Function.Addon.lookup (/Users/jasonr/FrontEnd/node_modules/ember-cli/lib/models/addon.js:1617:27)
# Content Security Policy Header Configuration
#
# for Apache: Header set Content-Security-Policy "..."
# for Nginx : add_header Content-Security-Policy "...";

default-src self;

2. Additionally, even if the output was to be moved to stdout instead of stderr, we would still need to strip out the preceding instructional content:

# Content Security Policy Header Configuration
#
# for Apache: Header set Content-Security-Policy "..."
# for Nginx : add_header Content-Security-Policy "...";

Proposal:

1. Ensure the resulting CSP content is written to stdout instead of stderr
2. Add a flag to suppress the instructional content (or move the instructional content to --help instead of always outputting it during csp generation)

Perhaps something like this:

$ ember csp-headers --csp-only
default-src self;

This way the output is easily pipeable into other scripts, readable from childProcess.exec, and generally just ready to be used as soon as it is returned to the caller.

Thanks for looking :) I can probably take a stab at it sometime soon if you agree that a change like this is desirable.

liveReloadHost option is whitelisted in CSP headers but not in meta tag.

It's whitelisted in CSP header here: https://github.com/rwjblue/ember-cli-content-security-policy/blob/v1.0.0/index.js#L115

Something similar is needed for meta tag here: https://github.com/rwjblue/ember-cli-content-security-policy/blob/v1.0.0/index.js#L170

It's not that easy to fix cause the life reload host option is not pushed on process.env as port and base url are by ember-cli-live-reload: https://github.com/ember-cli/ember-cli-inject-live-reload/blob/master/index.js#L63-L64

It's not that critical cause ember-cli-live-reload seems to ignore the host option currently.

ember csp-headers is not using refactored configuration. Needs to be updated accordingly to #94 and #97. Should reuse calculateConfig function introduced in #97 to avoid similar issues.

This bug only affects current master as there wasn't a release since #94.

I use a hostname, something like:

http://portfolio.dev

for some of my projects. Could we make https://github.com/rwjblue/ember-cli-content-security-policy/blob/master/index.js#L38 work with a config'ed var instead of hard-coding those 2 options?

I'll take a stab at it if I get some time.

Report ...because it violates the following Content Security Policy directive: "worker-src 'none'" is thrown.

It looks like this code doesn't build under any version of iojs; running ember build causes the process to hang (and peg the CPU depending on the version of iojs). I started with the latest (1.8.1) and then cherry picked my way back to 1.0.0, all with the same result. I used nvm so I was always getting the correct iojs/npm pair. I'm running on OS X 10.10.3.

This is totally weird and I've never seen this sort of thing before. The build works fine under node.js 0.12.2.

Following the suggestion received on PR #15 I'm now opening this issue to track the development of this discussion.

@givanse suggested using an array of strings to represent the single CSP rule — this allows to programmatically manipulate the various rules.

@rwjblue liked the idea and mentioned the fact that we'd probably better define a deprecation path.

I added that maybe we could use csp: schema-prefixed keywords so that there's no need to mix single quotes (') and double quotes (") and to allow, once more, programmability.

The sample policy given in the readme is vulnerable to bypass attacks, as it whitelists an enitre CDN. More information: https://speakerdeck.com/mikispag/making-csp-great-again-michele-spagnuolo-and-lukas-weichselbaum

Currently the default policy object is merged with application configuration. This is confusing and is likely causing misconfiguation.

Lets assume someone tries to forbid any external assets. So he aims for a CSP Header as following:

Content-Security-Policy: default-src 'none';

He would most likely try a configuration as following:

let app = new EmberApp(defaults, {
  'ember-cli-content-security-policy': {
     policy: {
       'default-src': ["'none'"]
     }
  }
});

But that would result in the following CSP Header as it's merged with default policy object:

Content-Security-Policy: default-src 'none'; script-src 'self'; font-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self'; media-src 'none';

In order to achieve the goal this configuration is needed:

let app = new EmberApp(defaults, {
  'ember-cli-content-security-policy': {
     policy: {
       'default-src': ["'none'"],
       'script-src':  null,
       'font-src':    null,
       'connect-src': null,
       'img-src':     null,
       'style-src':   null,
       'media-src':   null,
     }
  }
});

This is mentioned in README but easy to be missed:

To clear a directive from the default policy, set it to null.

The general refactoring of configuration done in #94 and #97 is a perfect time to change this in my opinion.

Having the policy object been merged might not have been a clear decision but might likely be caused by implementation details of Ember CLI's config hook.

Please note that the merging described here is currently broken in master due to #94. It will be fixed with #97, which also adds tests for this one. We would still need to support it for legacy run time configuration option contentSecurityPolicy to not add a breaking change.

Hi,

I'm using ember-cli to receive data from REST API backed by express at http://localhost:3000".
I have my env settings as follows

    contentSecurityPolicy: {
      'connect-src' : "'self' http://localhost:3000"
    }

While I can get the data and render it without problem, I'm still seeing a report-only warning as below:

[Report Only] Refused to load plugin data from '' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.

This warning keeps bumping up until I override default-src from 'none' to 'self' in addition to the 'connect-src':

'default-src': "'self'",
...

Is this the expected behavior?

Here's the versions:

[Debug] DEBUG: ------------------------------- (vendor.js, line 15931)
[Debug] DEBUG: Ember      : 1.13.3 (vendor.js, line 15931)
[Debug] DEBUG: Ember Data : 1.13.5 (vendor.js, line 15931)
[Debug] DEBUG: jQuery     : 1.11.3 (vendor.js, line 15931)
[Debug] DEBUG: ------------------------------- (vendor.js, line 15931)

I'm using safari to test the page, it this matters.

Thanks,
Gan

ENV.contentSecurityPolicy {
            'default-src': "'none'",
            'style-src': ["https://fonts.googleapis.com"],
}

$ ember csp-header:
default-src 'none'; style-src https://fonts.googleapis.com s e l f ' u n a - i;

ENV.contentSecurityPolicy {
            'default-src': "'none'",
            'style-src': "https://fonts.googleapis.com",
}

$ ember csp-header:
default-src 'none'; style-src https://fonts.googleapis.com;

Oddly, only does this for style-src, all the others are fine.

$ember -v
version: 1.13.15
node: 8.9.0
npm: 2.14.10
os: darwin x64

package.json

...
        "ember-cli-content-security-policy": "^1.0.0",
...

This is somewhat problematic if one wishes to add multiple entries...

Doing this on 0.4.0 doesn't seem to cause the problem (but then 0.4.0 doesn't seem to work at all... as it URL encodes the meta tags...)

Hopefully I'm just being dense

I am not sure how to add this to my CSP. I have tried it in many forms and it always breaks my CSP rule when I add it.

My CSP:

contentSecurityPolicy: {
      'img-src': "'self' *.tile.osm.org data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=",
      'script-src': "'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729 demo3.mysite.com",
      'connect-src': "'self' ws://localhost:35729 ws://0.0.0.0:35729 demo3.mysite.com"
    }

Console error (if I remove the data:image clause):

[Report Only] Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAD/ACwAAAAAAQABAAACADs=' because it violates the following Content Security Policy directive: "img-src 'self' *.tile.osm.org".

Chrome throws additional errors when the CSP is active in Report-only mode but no report-uri is configured.

I think adding report-uri http://localhost:4200 to the CSP header would be fine for now.

Later on, we could add a blueprint for the server where we actually process the CSP reports.

From the http://content-security-policy.com/ website.

Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers.

What do you make of this?

The README currently refers to config/content-security-policy.js, but having recently installed this addon and having problems with config not being detected, I dug around and found that the installed version 1.1.1 doesn't include the new code required to read from the config file.

Not a all required, if you are interested ember-cli org now exists now and as this repo provides core functionality you are welcome to transition it to that org.

I will be sure you continue to maintain existing commits + ownership.

If at this point in time you would prefer not to, this is fine. But if in the future you no-longer want to maintain this project, I will then gladly welcome it on the org.

Using ember-cli 1.13.6, generate a new application and run ember serve. Load the page in Chrome and Firefox, no CSP violations. Load the page in Safari 8.0.7 and you get: [Error] [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". (localhost, line 0)

So far I haven't been able to crack this one. :(

After installing the addon I noticed a slight delay in the Developer tools console. The page auto-loads as fast as usual, but the console remains in white-screen for about a second (maybe less).

It would be good to have an option, maybe in contentSecurityPolicyHeader, that turns it off.

It would be great if we could add a csp-headers command to ember to make copying the CSP-headers ridiculously easy. So I could just do:

ember csp-headers --environment production

And get the right headers for my production environment.

The development reporter only accepts POSTs of type application/csp-report. Unfortunately it looks like the latest version of Firefox is doing POSTs with a mime type of application/json. The net result is that Firefox doesn't spit out any console logging for CSP violations, making it difficult to debug. Digging into CSP, it looks like Firefox correctly flags a lot of things that other browsers don't (specifically around SVG).

unsafe-inline isn't sufficient to allow <script>...</script> on the page. CSP 2 requires those tags to have a hash of their contents. See https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

Is there a way for this library to automatically calculate the hashes? Or should addons that use contentFor do the hashing and add the results to config.contentSecurityPolicy['script-src']? If the latter, could this addon expose an API to make that easier?

See also pgrippi/ember-cli-google-analytics#21

A couple of issues with the default policy:

• The README should probably say the default policy in development includes 'unsafe-eval' and that if you override the security policy you need to manually specify that as well,
• If you have fonts, the default policy doesn't actually work,
• Is there a reason the default policy isn't simply contentSecurityPolicy: { default-src: "'self'" } ?

UPDATE: I've also found that in practice as soon as you want to use say google maps apis, its effectively "pants down" as you have to add 'unsafe-inline' in addition to a few google api urls.

If there is a known way to avoid using 'unsafe-inline' with google maps I'd love to know.

When running ember serve with the --ssl the csp report is using http instead of https and the request is blocked by the browser.

Thanks for licensing ember-cli-content-security-policy under the MIT License. Very helpful.

So we can give proper credit, would it be possible to provide who the copyright under the MIT License belongs to in your LICENSE.md?

Disclaimer: This is only a proposal as I'm not the maintainer of this repo.

As you might have noticed I'm working on an incremental refactoring of the configuration of this addon. It makes sense to ship all changes in one release to avoid unnecessary noice.

I would suggest that next release includes these features:

• Move configuration to ember-cli-content-security-policy namespace, introduce an explicit enabled option and reword other options. (#92, #94)
• Move configuration to config/content-security-policy.js. (#30, #97, #104)
• Policy object should be replaced by application configuration not merged. (#99, #101)

There are some pending feature requests that could be implemented having sensitive defaults without introducing a breaking change if shiped together with configuration changes:

• Add an assertion to fail tests if CSP is violated. (#91)
• Add CSP header in FastBoot if addon is enabled and delivery includes header. (#113)

I suggest shipping all of them with the next release.

Also there are some bugs/regressions introduced by refactoring that must be fixed before release:

• CLI command is not using refactored configuration. (#98, #103)
• Runtime configuration should not be injected if not needed (#116, #121)
• Throws in FastBoot if disabled or delivery does not include header (#117, #118)
• Ensure consistent test results by always using test environment for CSP affecting tests (#119, #122)

Steps to be done after release:

• Update Ember CLI docs for Content Security Policy (ember-learn/cli-guides#146)

This would be a great foundation for jelhan/ember-style-modifier#11.

Maybe it would be useful to include in the README a open to all development example, something like:

if (environment === 'development') {
    ENV.contentSecurityPolicy = {
      'default-src': ["*"],
      'script-src':  null,
      'font-src':    null,
      'connect-src': null,
      'img-src':     null,
      'style-src':   null,
      'media-src':   null
    };
}

Given the following:

    contentSecurityPolicy: {
      'default-src': ["'self'", "*.foo.com"]
    }

I receive the following CSP report:

[Report Only] Refused to connect to 'https://bar.foo.com/thingy' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost:49152 ws://0.0.0.0:49152 http://localhost:4200".

I would have expected #57 to address this, but it seems that we are missing something still...

I'm new to ember, so I may have mis-posted on the cli project, and as mentioned there this might not be a bug, not sure. ember-cli/ember-cli#5166

ember-cli/ember-cli#5415

This is still a problem after trying to upgrade everything in my app.

I'm using version 0.4.0 of this in ember-cli 0.2.3. In my environment.js I have included under contentSecurityPolicy:

'script-src': "'self'",

Now I get a CSP resport, comlaining about loading a ressource from "self" while there is specified:

("script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729")

I understand that these sources are added automatically, but why is "self" gone? if I do:

'script-src': "'self' http://localhost:3000",

I receive the same complaint, but stating:

("script-src http://localhost:4200 http://localhost:3000 http://localhost:35729 http://0.0.0.0:35729")

So the setting works, accept regarding "self".