Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the content security policy addon for new applications. #2065

Merged
merged 1 commit into from
Sep 21, 2014
Merged

Use the content security policy addon for new applications. #2065

merged 1 commit into from
Sep 21, 2014

Conversation

rwjblue
Copy link
Member

@rwjblue rwjblue commented Sep 21, 2014

Closes #1705.

Excerpts from the repos README:

This addon adds the Content-Security-Policy header to response sent from the Ember CLI Express server. Clearly, Ember CLI is not intended for production use, and neither is this addon. This is intended as a tool to ensure that CSP is kept in the forefront of your thoughts while developing an Ember application.

Options

This addon is configured via your applications config/environment.js file. Two specific properties are used from your projects configuration:

  • contentSecurityPolicyHeader -- The header to use for CSP (default: Content-Security-Policy)
  • contentSecurityPolicy -- This is an object that is used to build the final header value. Each key/value in this object is converted into a key/value pair in the resulting header value.

The default contentSecurityPolicy value (if you do not override in your config/environment.js) is:

  contentSecurityPolicy: {
    'default-src': 'none',
    'script-src': 'self',
    'connect-src': 'self',
    'img-src': 'self',
    'style-src': 'self'
  }

Which is translated into:

default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

Please note, that when running ember serve with live reload enabled, we also add the liveReloadPort to the connect-src whitelist.

@rwjblue
Use the content security policy addon for new applications.
e810a75 
Excerpts from the [repos README](https://github.com/rwjblue/ember-cli-content-security-policy/blob/master/README.md):

-----

This addon adds the `Content-Security-Policy` header to response sent from the Ember CLI Express server.
Clearly, Ember CLI is not intended for production use, and neither is this addon. This is intended as a
tool to ensure that CSP is kept in the forefront of your thoughts while developing an Ember application.

This addon is configured via your applications `config/environment.js` file. Two specific properties are
used from your projects configuration:

* `contentSecurityPolicyHeader` -- The header to use for CSP (**default: `Content-Security-Policy`**)
* `contentSecurityPolicy` -- This is an object that is used to build the final header value. Each key/value
  in this object is converted into a key/value pair in the resulting header value.

The default `contentSecurityPolicy` value (if you do not override in
your `config/environment.js`) is:

```javascript
  contentSecurityPolicy: {
    'default-src': 'none',
    'script-src': 'self',
    'connect-src': 'self',
    'img-src': 'self',
    'style-src': 'self'
  }
```

Which is translated into:

```
default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
```

Please note, that when running `ember serve` with live reload enabled, we also add the `liveReloadPort` to
the `connect-src` whitelist.
rwjblue added a commit that referenced this pull request Sep 21, 2014
@rwjblue
Merge pull request #2065 from rwjblue/use-csp-by-default
8c85fb0 
Use the content security policy addon for new applications.
@rwjblue rwjblue merged commit 8c85fb0 into ember-cli:master Sep 21, 2014
@rwjblue rwjblue deleted the use-csp-by-default branch September 21, 2014 02:37
@stefanpenner stefanpenner self-assigned this Sep 21, 2014
@thejchap
Copy link
Contributor

After doing a diff of 0.46 ember init to master ember init and updating stuff accordingly I am getting Refused to load the script 'http://localhost:4200/assets/ui.js' because it violates the following Content Security Policy directive: "script-src self". with the default CSP values suggested in the readme @ https://github.com/rwjblue/ember-cli-content-security-policy.....am I missing something here?

environment.js:

...
ENV.APP.contentSecurityPolicy = {
  'default-src': 'none',
  'script-src': 'self',
  'connect-src': 'self',
  'img-src': 'self',
  'style-src': 'self'
};
...

@rwjblue
Copy link
Member Author

rwjblue commented Sep 30, 2014

@thejchap - First, that is the default, so you don't have to do anything. Second, the readme is wrong (realized it this morning and release 0.1.3 of the package to fix). It should be (note that self and none are quoted):

contentSecurityPolicy: {
        'default-src': "'none'",
        'script-src': "'self'",
        'connect-src': "'self'",
        'img-src': "'self'",
        'style-src': "'self'"
      }

@thejchap
Copy link
Contributor

@rwjblue Roger that. Thanks!

@ahacking ahacking mentioned this pull request Sep 30, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@stefanpenner stefanpenner

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Inline javascript in index.html violates Content Security Policy (CSP)
4 participants
@rwjblue @thejchap @stefanpenner @abuiles