Comments (11)
Why are you explicitly setting 'script-src': "'self'"
? This addon will do that for you automatically. In addition, in development mode it will add 'unsafe-eval'
so sourcemaps work (see the readme).
For grins, I explicitly set script-src to self and forced a style violation. Here's what Chrome on OS X reported:
Content Security Policy violation: {"csp-report":{"document-uri":"http://localhost:4200/",
"referrer":"http://localhost:4200/","violated-directive":"style-src 'self'","effective-directive":
"style-src","original-policy":"script-src 'self' localhost:35729 0.0.0.0:35729; default-src 'none';
font-src 'self'; connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report;
img-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
"blocked-uri":"","source-file":"http://localhost:4200/assets/vendor.js","line-number":13215,
"column-number":15,"status-code":200}}
Through trial and error, I've learned that if the browser is reporting a CSP violation, you're generally doing something to cause a CSP violation. 😊 For example, on Firefox if you use external SVG resources with the default settings from this addon, you'll get warnings about violating default-src: none. But only on Firefox -- the current Chrome release channel just lets it sail right by.
Can you provide the full CSP violation you're seeing and what browser/OS combo?
from ember-cli-content-security-policy.
Well, interesting: If I don't set 'script-src': "'self'"
, there is no complaint. Seems that explicitly setting it conflicts with the automatic setting somehow. Thus, it shouldn't be set and https://github.com/rwjblue/ember-cli-content-security-policy#example would be misleading. I use a config similar to the example, so that I can easily overlook these values even if they are left on the default setting.
Also interesting: the CSP report only shows in Firefox/Windows but not in Chrome/Windows. However, I don't really know how to debug that CSP, because it suffers from #31.
from ember-cli-content-security-policy.
Until my pull request is merged in, try using my fork to see CSP reports from Firefox: https://github.com/ZebraFlesh/ember-cli-content-security-policy. You can also see your browser doing a POST to the reporting endpoint and capture the data in the browser, but that gets old fast.
from ember-cli-content-security-policy.
@ZebraFlesh Thanks, but I alreay manually patched index.js
of this addon and it didn't work. See my comment on the PR: #35 (comment)
from ember-cli-content-security-policy.
Actually, you're now running into #36.
from ember-cli-content-security-policy.
@ZebraFlesh Thanks, for the workaround posted at #36. Now, I can debug. It revealed that the CSP violation was caused by the addon "Ember Inspector" that I installed in Firefox. Disabling it, silences the console. However, I still have CSP violations in the output of ember server
, that hint at self
not being included. For example:
{"csp-report":{
"blocked-uri":"self",
"document-uri":"http://localhost:4200/assets/images/logo.svg",
"line-number":6,
"original-policy":
"default-src 'none';
script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729;
font-src http://localhost:4200;
connect-src http://localhost:4200 http://localhost:3000 http://127.0.0.1:3000 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report;
img-src http://localhost:4200; style-src http://localhost:4200;
media-src http://localhost:4200;
report-uri http://localhost:4200/csp-report","referrer":"http://localhost:4200/matchers",
"script-sample":"\n\n@font-face{font-family:'Sansation-Regu...",
"source-file":"http://localhost:4200/assets/images/logo.svg",
"violated-directive":"style-src http://localhost:4200"
}}
The violated-directive
does not mention self
but I have set:
contentSecurityPolicy: {
'default-src': "'none'",
'script-src': "'self'",
'font-src': "'self'",
'connect-src': "'self' http://localhost:3000 http://127.0.0.1:3000",
'img-src': "'self'",
'style-src': "'self'",
'media-src': "'self'"
}
If I remove the 'font-src': "'self'"
entry, I still get the exact same CSP in the server's output. So, it doesn't make a difference.
from ember-cli-content-security-policy.
That's very odd about the inspector addon causing a violation. If you can create a reproducible test case, I'd definitely open an issue against that project.
Regarding your problem, it sounds like you actually have a style violation, not a font violation. (Two keys here: "violated-directive":"style-src http://localhost:4200"
and "source-file":"http://localhost:4200/assets/images/logo.svg"
.) As of this moment, Firefox seems to be a bit tighter than Chrome with regards to SVG handling in general. If you open assets/images/logo.svg, does it contain any inline styles (including something as simple as <svg style="display: none;">...
)? That would certainly cause a CSP violation. Additionally, adding 'unsafe-inline'
to your 'style-src'
config should remove such a violation, but I would recommend against it.
from ember-cli-content-security-policy.
@ZebraFlesh Thanks, you were right. There were inline styles in my SVG. I removed them. Regarding that Ember Inspector CSP: I will further investigate it and might open an issue against it. Closing this.
from ember-cli-content-security-policy.
@ZebraFlesh I can reproduce the Ember Inspector CSP report now. Not sure though, whether that addon is the right place to file that issue. Maybe you can give me a hint? Here are the steps to reproduce:
- On Windows (7) generate a new Ember app (latest ember-cli) and start:
ember serve --host localhost
- Add
contentSecurityPolicy: {'script-src': "'self'"}
to yourenvironment.js
- On latest stable Firefox install addon Ember Inspector (make sure that its tab appears at the inspector pane)
- browse to
http://localhost:4200/
- you will get the CSP report. If not, click the reload button
I know that adding contentSecurityPolicy: {'script-src': "'self'"}
to environment.js
doesn't really make sense, because that's the default setting anyway. But nevertheless I think that CSP violation shouldn't occur. By the way, it doesn't happen with Chrome + Ember Inspector. Here is the CSP report:
{"csp-report":{
"blocked-uri":"self",
"document-uri":"http://localhost:4200/",
"line-number":58,
"original-policy":
"script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729;
default-src 'none';
font-src http://localhost:4200;
connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report;
img-src http://localhost:4200;
style-src http://localhost:4200;
media-src http://localhost:4200;
report-uri http://localhost:4200/csp-report",
"referrer":"",
"script-sample":"call to eval() or related function blocked by CSP",
"source-file":"resource://gre/modules/commonjs/toolkit/loader.js ->
resource://gre/modules/commonjs/sdk/loader/sandbox.js ->
resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js",
"violated-directive":"script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729"
}}
from ember-cli-content-security-policy.
So it looks like this addon is failing to add 'unsafe-eval'
to 'script-src'
in this scenario and that seems to be what it's complaining about ("script-sample":"call to eval() or related function blocked by CSP"
). If you remove the contentSecurityPolicy: {'script-src': "'self'"}
from environment.js
, does this error go away? If no more errors occur at that point, I'd say file an issue here. If more issues occur, file an issue against Ember Inspector.
from ember-cli-content-security-policy.
yes, if I remove contentSecurityPolicy: {'script-src': "'self'"}
the error goes away. Will file a new issue here.
from ember-cli-content-security-policy.
Related Issues (20)
- Cannot read property 'policy' of undefined HOT 2
- Problem with using 'unsafe-inline' in script-src HOT 12
- Dev server CSP items are missing when requested with Accept: text/html using Fastboot on master HOT 4
- Development server must be restarted after each configuration change HOT 2
- Create blueprint config/content-security-policy.js on installation HOT 1
- Should remove `report-uri` from CSP if used in meta tag HOT 7
- Add support for inline JS inserted via content-for HOT 7
- In test mode frame-src settings are overwritten HOT 1
- Use GitHub Action instead TravisCI HOT 1
- Setup Prettier HOT 5
- Support Ember Auto Import without requiring manual configuration
- Use report-to instead of the deprecated report-uri HOT 1
- Automate dependency upgrades HOT 4
- Improve developer experience with new apps HOT 1
- Tests fail after installing this addon because of `ember-cli` HOT 6
- Inconsistent test results HOT 1
- Build fails with storeConfigInMeta=false HOT 2
- [2.0.0-5]+ A `meta` tag is added even if only `header` is requested as delivery method HOT 6
- Minor Spelling Mistake HOT 5
- Breaks if serving separately from build command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ember-cli-content-security-policy.