Comments (5)
sandstrom
commented on June 2, 2024
1
In addition to what I wrote above there has been some recent discussion on object-src and Flash[1]. Basically I think 'none' is a good default value for object-src (this is just a default value, the idea with CSP is to modify it to fit an individual site) and will close this issue for now.
Again, if you have thoughts on how to improve the documentation around this I'm all ears.
[1] https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
from ember-cli-content-security-policy.
ZebraFlesh
commented on June 2, 2024
I'm of the opinion that this is a good thing. SVG has so many potential attack vectors that it really boggles the mind. I didn't realize the problem until I started using this addon, got some violations, and dug into it. There's also the issue of very different SVG support, even between Firefox and Chrome. We could certainly change the settings such that SVG works out of the box, but then no one is slaughtering a goat in your console and prompting you to learn about how SVG and CSP combine (or don't, in some cases).
Here's a good SVG doing bad things resource: https://www.blackhat.com/docs/us-14/materials/us-14-DeGraaf-SVG-Exploiting-Browsers-Without-Image-Parsing-Bugs.pdf It includes some discussion of CSP, probably CSP level 1 or 1.1 given the age of the presentation.
@rwjblue do you have an opinion?
from ember-cli-content-security-policy.
sandstrom
commented on June 2, 2024
@jfelchner I think this is outside the scope of this addon (the question concerns browsers and CSP).
from ember-cli-content-security-policy.
jfelchner
commented on June 2, 2024
@sandstrom the other one I agreed with, but I have no idea who you are.
from ember-cli-content-security-policy.
sandstrom
commented on June 2, 2024
@jfelchner Sorry for being brief, I should have explained better.
I agree it's bad that the console looks like a slaughtered 🐐 . However, accepting various uses of SVG by default would require relaxing a few directives. You mention object-src and frame-src. One could also add data: * and 'unsafe-inline' to that list (for other SVG + CSP issues, see below).
This would indeed make it work better with SVG out of the box, but would also open it up quite a bit. The idea with CSP is to start with a restrictive policy and whitelist things as needed for each particular site.
This Github blog post gives a few examples on how permissive CSP-policies can be dangerous.
Since the CSP policy is configurable you can adjust it as needed. But I'm not convinced loosening the defaults is the right way.
Perhaps better documentation around SVG in the readme could help.
Let me know what you think!
Examples of SVG + CSP issues:
https://forum.ionicframework.com/t/refuse-to-load-the-image-svg-issue-with-search-bar-icons/47234
https://pokeinthe.io/2016/04/09/black-icons-with-svg-and-csp/
from ember-cli-content-security-policy.
Related Issues (20)
- Cannot read property 'policy' of undefined HOT 2
- Problem with using 'unsafe-inline' in script-src HOT 12
- Dev server CSP items are missing when requested with Accept: text/html using Fastboot on master HOT 4
- Development server must be restarted after each configuration change HOT 2
- Create blueprint config/content-security-policy.js on installation HOT 1
- Should remove `report-uri` from CSP if used in meta tag HOT 7
- Add support for inline JS inserted via content-for HOT 7
- In test mode frame-src settings are overwritten HOT 1
- Use GitHub Action instead TravisCI HOT 1
- Setup Prettier HOT 5
- Support Ember Auto Import without requiring manual configuration
- Use report-to instead of the deprecated report-uri HOT 1
- Automate dependency upgrades HOT 4
- Improve developer experience with new apps HOT 1
- Tests fail after installing this addon because of `ember-cli` HOT 6
- Inconsistent test results HOT 1
- Build fails with storeConfigInMeta=false HOT 2
- [2.0.0-5]+ A `meta` tag is added even if only `header` is requested as delivery method HOT 6
- Minor Spelling Mistake HOT 5
- Breaks if serving separately from build command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ember-cli-content-security-policy.