-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"script-src 'self'" causes CSP violation with Ember inspector #38
Comments
This also happens on Mac OSX Firefox version 37. Can be reproduced in the same way. |
I see this happening as well on FF. Chrome, no issues. |
Doesn't seem to be fixed. I'm still getting CSP violation in firefox 43.0.4 (ubuntu). ember-inspector 1.9.4 Steps to reproduce (using ember-cli 1.13.14):
@rwjblue please reopen. |
@jelhan This is an issue with ember-inspector. There is already an open issue about this: I've researched this myself previously, because I've also seen it. Haven't been able to figure out if the root cause is Firefox (not keeping addons within their own CSP scope; I know they do have their own CORS scope), or an issue with the inspector. |
Setting
contentSecurityPolicy: {'script-src': "'self'"}
on an Ember-CLI app causes a CSP violation, if that app is accessed on Windows (maybe also other OS) via latest stable Firefox with Ember Inspector addon installed. Here are the steps to reproduce:ember serve --host localhost
contentSecurityPolicy: {'script-src': "'self'"}
to yourenvironment.js
http://localhost:4200/
I know that adding
contentSecurityPolicy: {'script-src': "'self'"}
toenvironment.js
doesn't really make sense, because that's the default setting anyway. But nevertheless I think that CSP violation shouldn't occur. By the way, it doesn't happen with Chrome + Ember Inspector. Here is the CSP report:If I remove
contentSecurityPolicy: {'script-src': "'self'"}
, the CSP violation doesn't occur any longer.The text was updated successfully, but these errors were encountered: