Comments (3)
Do we have any reports from users about this causing misconfiguration issues? Or what users would prefer?
I've looked through issues and PRs in this repo. Haven't found any discussion mentioning this behavior explicitly. But I think someones are indirectly caused by this:
- #76 shows that there are use cases in which you like to alter
default-src
and being forced to exclude all other ones manually. - #73 and #93 are asking about adding a
worker-src
directive. Both seem to be motivated by the wrong assumption that directives in default policy could only be altered in application configuration but not additional ones added.
I guess altering default-src
or trying to make default configuration even stricter is not a common pattern.
My main motivation is reducing the magic around this plugin and it's configuration. It would be great if a developer would know CSP used by looking in application configuration only. This is especially important for a configure and forget thing like CSP and if it's security related IMO.
from ember-cli-content-security-policy.
Do we have any reports from users about this causing misconfiguration issues? Or what users would prefer?
That said, I don't mind changing without knowing what users prefer (and if we'd redesign this from scratch I think what you're suggesting may be slightly better, i.e. no merging).
So I'm mildly 👍 on this without knowing if this is a common problem or not. And if it is, I definitely don't mind dropping the merging.
from ember-cli-content-security-policy.
IMHO, this is a "security by default" issue. The merging behaviors here may result in incorrect CSP settings (hard to say, and I've not personally had this issue) that are less restrictive than the user intended. This seems not ideal...
I think removing the merging behavior but keeping a "good default" (either by blueprinting it into the consuming app upon installation or by using a built in default when no config is provided by the user) is probably a decent compromise.
from ember-cli-content-security-policy.
Related Issues (20)
- Cannot read property 'policy' of undefined HOT 2
- Problem with using 'unsafe-inline' in script-src HOT 12
- Dev server CSP items are missing when requested with Accept: text/html using Fastboot on master HOT 4
- Development server must be restarted after each configuration change HOT 2
- Create blueprint config/content-security-policy.js on installation HOT 1
- Should remove `report-uri` from CSP if used in meta tag HOT 7
- Add support for inline JS inserted via content-for HOT 7
- In test mode frame-src settings are overwritten HOT 1
- Use GitHub Action instead TravisCI HOT 1
- Setup Prettier HOT 5
- Support Ember Auto Import without requiring manual configuration
- Use report-to instead of the deprecated report-uri HOT 1
- Automate dependency upgrades HOT 4
- Improve developer experience with new apps HOT 1
- Tests fail after installing this addon because of `ember-cli` HOT 6
- Inconsistent test results HOT 1
- Build fails with storeConfigInMeta=false HOT 2
- [2.0.0-5]+ A `meta` tag is added even if only `header` is requested as delivery method HOT 6
- Minor Spelling Mistake HOT 5
- Breaks if serving separately from build command HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ember-cli-content-security-policy.