Use the content security policy addon for new applications. #2065
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #1705.
Excerpts from the repos README:
This addon adds the
Content-Security-Policy
header to response sent from the Ember CLI Express server. Clearly, Ember CLI is not intended for production use, and neither is this addon. This is intended as a tool to ensure that CSP is kept in the forefront of your thoughts while developing an Ember application.Options
This addon is configured via your applications
config/environment.js
file. Two specific properties are used from your projects configuration:contentSecurityPolicyHeader
-- The header to use for CSP (default:Content-Security-Policy
)contentSecurityPolicy
-- This is an object that is used to build the final header value. Each key/value in this object is converted into a key/value pair in the resulting header value.The default
contentSecurityPolicy
value (if you do not override in yourconfig/environment.js
) is:Which is translated into:
Please note, that when running
ember serve
with live reload enabled, we also add theliveReloadPort
to theconnect-src
whitelist.