Code Monkey home page Code Monkey logo

Comments (3)

jelhan avatar jelhan commented on June 10, 2024 1

Do we have any reports from users about this causing misconfiguration issues? Or what users would prefer?

I've looked through issues and PRs in this repo. Haven't found any discussion mentioning this behavior explicitly. But I think someones are indirectly caused by this:

  • #76 shows that there are use cases in which you like to alter default-src and being forced to exclude all other ones manually.
  • #73 and #93 are asking about adding a worker-src directive. Both seem to be motivated by the wrong assumption that directives in default policy could only be altered in application configuration but not additional ones added.

I guess altering default-src or trying to make default configuration even stricter is not a common pattern.

My main motivation is reducing the magic around this plugin and it's configuration. It would be great if a developer would know CSP used by looking in application configuration only. This is especially important for a configure and forget thing like CSP and if it's security related IMO.

from ember-cli-content-security-policy.

sandstrom avatar sandstrom commented on June 10, 2024

Do we have any reports from users about this causing misconfiguration issues? Or what users would prefer?

That said, I don't mind changing without knowing what users prefer (and if we'd redesign this from scratch I think what you're suggesting may be slightly better, i.e. no merging).

So I'm mildly 👍 on this without knowing if this is a common problem or not. And if it is, I definitely don't mind dropping the merging.

from ember-cli-content-security-policy.

rwjblue avatar rwjblue commented on June 10, 2024

IMHO, this is a "security by default" issue. The merging behaviors here may result in incorrect CSP settings (hard to say, and I've not personally had this issue) that are less restrictive than the user intended. This seems not ideal...

I think removing the merging behavior but keeping a "good default" (either by blueprinting it into the consuming app upon installation or by using a built in default when no config is provided by the user) is probably a decent compromise.

from ember-cli-content-security-policy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.