"script-src 'self'" causes CSP violation with Ember inspector

[Awem]

Setting contentSecurityPolicy: {'script-src': "'self'"} on an Ember-CLI app causes a CSP violation, if that app is accessed on Windows (maybe also other OS) via latest stable Firefox with Ember Inspector addon installed. Here are the steps to reproduce:

• On Windows (7) generate a new Ember app (latest ember-cli) and start: ember serve --host localhost
• Add contentSecurityPolicy: {'script-src': "'self'"} to your environment.js
• On latest stable Firefox install addon Ember Inspector (make sure that its tab appears at the inspector pane)
• browse to http://localhost:4200/
• you will get the CSP report. If not, click the reload button

I know that adding contentSecurityPolicy: {'script-src': "'self'"} to environment.js doesn't really make sense, because that's the default setting anyway. But nevertheless I think that CSP violation shouldn't occur. By the way, it doesn't happen with Chrome + Ember Inspector. Here is the CSP report:

{"csp-report":{
  "blocked-uri":"self",
  "document-uri":"http://localhost:4200/",
  "line-number":58,
  "original-policy":
    "script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729; 
     default-src 'none'; 
     font-src http://localhost:4200; 
     connect-src http://localhost:4200 ws://localhost:35729 ws://0.0.0.0:35729 http://localhost:4200/csp-report; 
     img-src http://localhost:4200; 
     style-src http://localhost:4200; 
     media-src http://localhost:4200; 
     report-uri http://localhost:4200/csp-report",
  "referrer":"",
  "script-sample":"call to eval() or related function blocked by CSP",
  "source-file":"resource://gre/modules/commonjs/toolkit/loader.js ->
                 resource://gre/modules/commonjs/sdk/loader/sandbox.js ->
                 resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/content-script.js",
  "violated-directive":"script-src http://localhost:4200 http://localhost:35729 http://0.0.0.0:35729"
}}

If I remove contentSecurityPolicy: {'script-src': "'self'"}, the CSP violation doesn't occur any longer.

[Eptis]

This also happens on Mac OSX Firefox version 37. Can be reproduced in the same way.

[krzkrzkrz]

I see this happening as well on FF. Chrome, no issues.

[jelhan]

Doesn't seem to be fixed. I'm still getting CSP violation in firefox 43.0.4 (ubuntu).

ember-inspector 1.9.4

Steps to reproduce (using ember-cli 1.13.14):

$ ember new testCSP
$ cd testCSP
$ ember install ember-cli-content-security-policy@0.5.0
$ ember server

@rwjblue please reopen.

[sandstrom]

@jelhan This is an issue with ember-inspector. There is already an open issue about this:
emberjs/ember-inspector#471

I've researched this myself previously, because I've also seen it. Haven't been able to figure out if the root cause is Firefox (not keeping addons within their own CSP scope; I know they do have their own CORS scope), or an issue with the inspector.