Comments (10)
Just recognized that this isn't runtime configuration but for build and server only. Due to this it should also be moved from config/environment.js
to ember-cli-build.js
.
from ember-cli-content-security-policy.
is it possible to have more dummers-frendly
and declarative configuration, like
csp
policies:
images:
local: true,
raw-inline: true,
fromHosts: [ 'http://...', 'http://...' ]
fonts:
local: true,
styles:
local: true,
inline: true
...
I think we can replace none
, self
etc to something more meaningful and less formal
'font-src': ["'self'"]
- scares me, comparing policies.fonts.local = true
- looks friendly
I think CSP - it's kinda do and forget configuration, and we able to add sugar
for it, to not ask developers about formal notation
from ember-cli-content-security-policy.
@rwjblue I'm willing to provide a PR for this but would like to know beforehand if you are willing to accept such a change of configuration API. Also the status of this addon is unclear to me. It has still a high weekly download numbers on NPM but PRs are open for a long time without feedback and it's missing any test coverage. 😞 Let me know if there is anything I could help with. This addon provides valuable feature for the ecosystem and could provide big value if known limitations (e.g. testing support) are addressed IMO.
from ember-cli-content-security-policy.
@jelhan Looks good overall!
Some thoughts:
- Should we use a key for delivery, instead of meta true/false?
and basically only deliver via header or meta, but not both. I think that may avoid some confusion + some issues around the directives that can only be delivered via headers.
// …
enabled: true,
delivery: 'meta', // or 'header'
// …
-
How about the directives that don't have a value[1], for example
block-all-mixed-content
? Perhaps we could use"block-all-mixed-content": true,
as the syntax for them -
Your example on the transition
ENV.contentSecurityPolicyHeader === 'Content-Security-Policy',
shouldn't that beENV.contentSecurityPolicyHeader === 'Content-Security-Policy-Report-Only',
? -
Do we know how many addons would be affected? It's great that you are thinking about the transition + supporting existing addons. Would very much prefer if this won't need to be a breaking change.
I know rwjblue still care about this repo and want to see it progress, but he's a busy person. So I'm certain it's not neglect, it's just a lack of bandwidth. Anyway, I have commit bits to this repo so I can help shepherd it through (though I'll try to get rwjblue to sign off on it first).
from ember-cli-content-security-policy.
Should we use a key for delivery, instead of meta true/false?
I like that one but would additionally support both
as an option to not add a breaking change.
How about the directives that don't have a value[1], for example block-all-mixed-content? Perhaps we could use "block-all-mixed-content": true, as the syntax for them
I like that proposal. Are these ones currently supported?
Your example on the transition ENV.contentSecurityPolicyHeader === 'Content-Security-Policy', shouldn't that be ENV.contentSecurityPolicyHeader === 'Content-Security-Policy-Report-Only',?
💯 Updated first post accordingly.
Do we know how many addons would be affected? It's great that you are thinking about the transition + supporting existing addons. Would very much prefer if this won't need to be a breaking change.
A change here would not only affect addons but also a lot of application. This addon has 24.758 weekly downloads. That's a lot for our ecosystem. For comparison ember-cli
has 120.459 weekly downloads. It was part of default blueprint of applications and addons for a long time.
from ember-cli-content-security-policy.
- Good point, how about allowing an array for the
delivery
key, so that the default could be:
// it would accept this (default, for backwards compatibility):
delivery: ['meta', 'header'],
// and also accept a single value
delivery: 'meta',
(in case there would be some future mechanism for CSP delivery)
- Not really, right now you could do this and it would kind of work:
block-all-mixed-content: '',
-
Sounds good!
-
Yes, that's a lot, we'll have to make sure this won't cause an unnecessary interruption.
from ember-cli-content-security-policy.
Most of the configuration refactoring discussed here has landed in #94. The policy object isn't refactored yet. @lifeart do you have time to work on that one as it was your suggestion? I'm totally in favor for it but like to focus on other parts of this addon. Would be great to change the configuration in one release only and not in several ones.
from ember-cli-content-security-policy.
@jelhan sorry, this week I have no time for it(.
I think we need more polishing on proposed config format, to have all items consistent.
from ember-cli-content-security-policy.
@lifeart Although I really appreciate that you'd like to help out improving this addon, I'm not convinced that we should move to something "dummers-frendly". Although I agree that CSP is complicated and sometimes confusing, there are also disadvantages to adding another layer of abstraction.
Happy to discuss further though! I could certainly change my mind if there are good arguments in favor of dumbing it down.
But just wanted to make this note so you don't start working on something that may not be merged in the end.
cc: @jelhan
from ember-cli-content-security-policy.
I'll go ahead and close this issue. But feel free to open a new if you want to discuss more changes to the config format! 😄
Thanks @jelhan for landing the first refactor!
from ember-cli-content-security-policy.
Related Issues (20)
- Cannot read property 'policy' of undefined HOT 2
- Problem with using 'unsafe-inline' in script-src HOT 12
- Dev server CSP items are missing when requested with Accept: text/html using Fastboot on master HOT 4
- Development server must be restarted after each configuration change HOT 2
- Create blueprint config/content-security-policy.js on installation HOT 1
- Should remove `report-uri` from CSP if used in meta tag HOT 7
- Add support for inline JS inserted via content-for HOT 7
- In test mode frame-src settings are overwritten HOT 1
- Use GitHub Action instead TravisCI HOT 1
- Setup Prettier HOT 5
- Support Ember Auto Import without requiring manual configuration
- Use report-to instead of the deprecated report-uri HOT 1
- Automate dependency upgrades HOT 4
- Improve developer experience with new apps HOT 1
- Tests fail after installing this addon because of `ember-cli` HOT 6
- Inconsistent test results HOT 1
- Build fails with storeConfigInMeta=false HOT 2
- [2.0.0-5]+ A `meta` tag is added even if only `header` is requested as delivery method HOT 6
- Minor Spelling Mistake HOT 5
- Breaks if serving separately from build command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ember-cli-content-security-policy.