Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content security policy violation #33

Open
musaffa opened this issue Aug 6, 2016 · 11 comments
Open

Content security policy violation #33

musaffa opened this issue Aug 6, 2016 · 11 comments
Labels
question

Comments

@musaffa
Copy link

musaffa commented Aug 6, 2016
edited
Loading

This line requires inline script execution in production mode and shows error in the browser console. The error can be silenced by enabling 'unsafe-inline' to script-src in content security policy but this will make the whole application unsafe.
@joshsmith
Copy link
Collaborator

@musaffa I've mostly turned off CSP in my Ember apps, but do you have a good suggestion for how to handle this?

@musaffa
Copy link
Author

musaffa commented Oct 4, 2016

The addon may need a rewrite or nonce feature of CSP can be utilized to white list this specific script.

@joshsmith
Copy link
Collaborator

@musaffa do you have any interest in doing a PR for either:

  • making this work with CSP?

or

  • adding some docs to the README for using nonce to whitelist?

@musaffa
Copy link
Author

musaffa commented Oct 5, 2016

Sure. I will look into it.

@musaffa
Copy link
Author

musaffa commented Nov 3, 2016
edited
Loading

@joshsmith The current implementation heavily relies on inline scripting as it returns a script tag using contentFor. Using nonce is a no-go, because nonce is a random number which should be inserted in script-src on every page request. The random number has to be different on every page request. A relatively simpler option is to include SHA hash of the script itself in the script-src but it is still very complicated.

I've ended up with a much simpler manual implementation:

// application/route.js

actions: {
  loading(transition) {
    this._super(...arguments);

    Pace.start();

    transition.promise.finally(function() {
      Pace.stop();
    });
  }
}

I've then imported pace.js in ember-cli-build.js and a pace theme in the stylesheet.

Configuration options can also be inserted into Pace like Pace.start(customConfig). Going this way may need a major rewrite of the addon.

@joshsmith
Copy link
Collaborator

Is there really no way in CSPs to be able to specify a particular inline script being injected like this one?

I unfortunately do not have time personally right now to put forth such a massive rewrite (and others probably would want something to say about that), but I'd be happy to see a PR if you wanted to attempt a major version bump branch.

@musaffa
Copy link
Author

musaffa commented Nov 3, 2016

Nonce and SHA hash are ways to do this job. But their implementations can be a bit difficult.

My custom implementation is way simpler and does the job that I need. I will need to see if the code can be extracted for the addon.

@joshsmith
Copy link
Collaborator

@musaffa you're a 🍑 ! Thanks for looking into it.

@SamiSammour
Copy link

@musaffa Thanks a lot dude, you saved my day

@joshsmith
Copy link
Collaborator

@musaffa any luck on being able to extract out for the addon?

@musaffa
Copy link
Author

musaffa commented Nov 28, 2016

@joshsmith Not yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@musaffa @joshsmith @SamiSammour