'self' not included despite being set about ember-cli-content-security-policy HOT 11 CLOSED

Why are you explicitly setting 'script-src': "'self'"? This addon will do that for you automatically. In addition, in development mode it will add 'unsafe-eval' so sourcemaps work (see the readme).

For grins, I explicitly set script-src to self and forced a style violation. Here's what Chrome on OS X reported:

Content Security Policy violation: {"csp-report":{"document-uri":"http://localhost:4200/",
"referrer":"http://localhost:4200/","violated-directive":"style-src 'self'","effective-directive":
"style-src","original-policy":"script-src 'self' localhost:35729 0.0.0.0:35729; default-src 'none'; 
font-src 'self'; connect-src 'self' ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report;
 img-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
"blocked-uri":"","source-file":"http://localhost:4200/assets/vendor.js","line-number":13215,
"column-number":15,"status-code":200}}

Through trial and error, I've learned that if the browser is reporting a CSP violation, you're generally doing something to cause a CSP violation. 😊 For example, on Firefox if you use external SVG resources with the default settings from this addon, you'll get warnings about violating default-src: none. But only on Firefox -- the current Chrome release channel just lets it sail right by.

Can you provide the full CSP violation you're seeing and what browser/OS combo?

from ember-cli-content-security-policy.

Well, interesting: If I don't set 'script-src': "'self'", there is no complaint. Seems that explicitly setting it conflicts with the automatic setting somehow. Thus, it shouldn't be set and https://github.com/rwjblue/ember-cli-content-security-policy#example would be misleading. I use a config similar to the example, so that I can easily overlook these values even if they are left on the default setting.
Also interesting: the CSP report only shows in Firefox/Windows but not in Chrome/Windows. However, I don't really know how to debug that CSP, because it suffers from #31.

from ember-cli-content-security-policy.

Until my pull request is merged in, try using my fork to see CSP reports from Firefox: https://github.com/ZebraFlesh/ember-cli-content-security-policy. You can also see your browser doing a POST to the reporting endpoint and capture the data in the browser, but that gets old fast.

from ember-cli-content-security-policy.

@ZebraFlesh Thanks, but I alreay manually patched index.js of this addon and it didn't work. See my comment on the PR: #35 (comment)

from ember-cli-content-security-policy.

Actually, you're now running into #36.

from ember-cli-content-security-policy.

@ZebraFlesh Thanks, for the workaround posted at #36. Now, I can debug. It revealed that the CSP violation was caused by the addon "Ember Inspector" that I installed in Firefox. Disabling it, silences the console. However, I still have CSP violations in the output of ember server, that hint at self not being included. For example:

{"csp-report":{
  "blocked-uri":"self",
  "document-uri":"http://localhost:4200/assets/images/logo.svg",
  "line-number":6,
  "original-policy":
    "default-src 'none'; 
     script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729; 
     font-src http://localhost:4200; 
     connect-src http://localhost:4200 http://localhost:3000 http://127.0.0.1:3000 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report; 
     img-src http://localhost:4200; style-src http://localhost:4200; 
     media-src http://localhost:4200; 
     report-uri http://localhost:4200/csp-report","referrer":"http://localhost:4200/matchers",
  "script-sample":"\n\n@font-face{font-family:'Sansation-Regu...",
  "source-file":"http://localhost:4200/assets/images/logo.svg",
  "violated-directive":"style-src http://localhost:4200"
}}

The violated-directive does not mention self but I have set:

contentSecurityPolicy: {
  'default-src': "'none'",
  'script-src': "'self'",
  'font-src': "'self'",
  'connect-src': "'self' http://localhost:3000 http://127.0.0.1:3000",
  'img-src': "'self'",
  'style-src': "'self'",
  'media-src': "'self'"
}

If I remove the 'font-src': "'self'" entry, I still get the exact same CSP in the server's output. So, it doesn't make a difference.

from ember-cli-content-security-policy.

That's very odd about the inspector addon causing a violation. If you can create a reproducible test case, I'd definitely open an issue against that project.

Regarding your problem, it sounds like you actually have a style violation, not a font violation. (Two keys here: "violated-directive":"style-src http://localhost:4200" and "source-file":"http://localhost:4200/assets/images/logo.svg".) As of this moment, Firefox seems to be a bit tighter than Chrome with regards to SVG handling in general. If you open assets/images/logo.svg, does it contain any inline styles (including something as simple as <svg style="display: none;">...)? That would certainly cause a CSP violation. Additionally, adding 'unsafe-inline' to your 'style-src' config should remove such a violation, but I would recommend against it.

from ember-cli-content-security-policy.

@ZebraFlesh Thanks, you were right. There were inline styles in my SVG. I removed them. Regarding that Ember Inspector CSP: I will further investigate it and might open an issue against it. Closing this.

from ember-cli-content-security-policy.

@ZebraFlesh I can reproduce the Ember Inspector CSP report now. Not sure though, whether that addon is the right place to file that issue. Maybe you can give me a hint? Here are the steps to reproduce:

• On Windows (7) generate a new Ember app (latest ember-cli) and start: ember serve --host localhost
• Add contentSecurityPolicy: {'script-src': "'self'"} to your environment.js
• On latest stable Firefox install addon Ember Inspector (make sure that its tab appears at the inspector pane)
• browse to http://localhost:4200/
• you will get the CSP report. If not, click the reload button

I know that adding contentSecurityPolicy: {'script-src': "'self'"} to environment.js doesn't really make sense, because that's the default setting anyway. But nevertheless I think that CSP violation shouldn't occur. By the way, it doesn't happen with Chrome + Ember Inspector. Here is the CSP report:

{"csp-report":{
  "blocked-uri":"self",
  "document-uri":"http://localhost:4200/",
  "line-number":58,
  "original-policy":
    "script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729; 
     default-src 'none'; 
     font-src http://localhost:4200; 
     connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report; 
     img-src http://localhost:4200; 
     style-src http://localhost:4200; 
     media-src http://localhost:4200; 
     report-uri http://localhost:4200/csp-report",
  "referrer":"",
  "script-sample":"call to eval() or related function blocked by CSP",
  "source-file":"resource://gre/modules/commonjs/toolkit/loader.js ->
                 resource://gre/modules/commonjs/sdk/loader/sandbox.js ->
                 resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js",
  "violated-directive":"script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729"
}}

from ember-cli-content-security-policy.

So it looks like this addon is failing to add 'unsafe-eval' to 'script-src' in this scenario and that seems to be what it's complaining about ("script-sample":"call to eval() or related function blocked by CSP"). If you remove the contentSecurityPolicy: {'script-src': "'self'"} from environment.js, does this error go away? If no more errors occur at that point, I'd say file an issue here. If more issues occur, file an issue against Ember Inspector.

from ember-cli-content-security-policy.

yes, if I remove contentSecurityPolicy: {'script-src': "'self'"} the error goes away. Will file a new issue here.

from ember-cli-content-security-policy.