Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Example allows manifest from self #365

Closed
wants to merge 1 commit into from
Closed

fix: Example allows manifest from self #365

wants to merge 1 commit into from

Conversation

MichalBryxi
Copy link
Contributor

  • Given example is quite handy starting copy&paste.
  • Unfortunatelly for Chrome with modern Ember apps it gives:
assessment:1 Refused to load manifest from 'http://localhost:4200/manifest.webmanifest' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.
  • This patch makes the README as a nicer starting point.

@jelhan
Copy link
Collaborator

jelhan commented Apr 16, 2024

I'm wondering if we should update the default configuration as well:

ember-cli-content-security-policy/lib/utils.js

Lines 73 to 87 in b6c3e09

let config = {
delivery: ['header'],
enabled: true,
failTests: true,
policy: {
'default-src': [CSP_NONE],
'script-src': [CSP_SELF],
'font-src': [CSP_SELF],
'connect-src': [CSP_SELF],
'img-src': [CSP_SELF],
'style-src': [CSP_SELF],
'media-src': [CSP_SELF],
},
reportOnly: true,
};
and

ember-cli-content-security-policy/README.md

Lines 94 to 116 in b6c3e09

If you omit some or all of the keys, the default configuration will be used, which is:
```js
// config/content-security-policy.js
module.exports = function (environment) {
return {
delivery: ['header'],
enabled: true,
failTests: true,
policy: {
'default-src': ["'none'"],
'script-src': ["'self'"],
'font-src': ["'self'"],
'connect-src': ["'self'"],
'img-src': ["'self'"],
'style-src': ["'self'"],
'media-src': ["'self'"],
},
reportOnly: true,
};
};
```

@MichalBryxi
Copy link
Contributor Author

Good point @jelhan. Added.

@MichalBryxi
Copy link
Contributor Author

Not sure why the CI gods are angry ...

@jelhan
Copy link
Collaborator

jelhan commented Apr 16, 2024

Not sure why the CI gods are angry ...

It seems to fail due to Prettier formatting:

$ eslint . --cache

/home/runner/work/ember-cli-content-security-policy/ember-cli-content-security-policy/lib/utils.js
ERROR: "lint:js" exited with 1.
Error:   78:7  error  Replace `·'default-src':·` with `'default-src':`                prettier/prettier
Error:   79:7  error  Replace `·'script-src':···` with `'script-src':·`               prettier/prettier
Error:   80:7  error  Replace `·'font-src':·····` with `'font-src':·`                 prettier/prettier
Error:   81:1  error  Replace `·······'connect-src':··` with `······'connect-src':·`  prettier/prettier
Error:   82:7  error  Replace `·'img-src':······` with `'img-src':·`                  prettier/prettier
Error:   83:7  error  Replace `·'style-src':····` with `'style-src':·`                prettier/prettier
Error:   84:1  error  Delete `·`                                                      prettier/prettier
Error:   85:7  error  Replace `·'media-src':···` with `'media-src':`                  prettier/prettier

✖ 8 problems (8 errors, 0 warnings)
  8 errors and 0 warnings potentially fixable with the `--fix` option.

@MichalBryxi MichalBryxi force-pushed the patch-1 branch 2 times, most recently from 154f437 to 1fa3569 Compare April 24, 2024 17:35
@MichalBryxi MichalBryxi mentioned this pull request Apr 25, 2024
Closed
@MichalBryxi
fix: Example allows manifest from self
d0992e0 
- Given example is quite handy starting copy&paste.
- Unfortunatelly for Chrome with modern Ember apps it gives:

```
assessment:1 Refused to load manifest from 'http://localhost:4200/manifest.webmanifest' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.
```

- This patch makes the README as a nicer starting point.
@MichalBryxi
Copy link
Contributor Author

Even change in Readme would mean running CI, which is borked now. Just going to close this for now.

@MichalBryxi MichalBryxi deleted the patch-1 branch April 29, 2024 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MichalBryxi @jelhan