ember-cli-yuidoc icon indicating copy to clipboard operation
ember-cli-yuidoc copied to clipboard

Published 20 hours ago verified publisher icon cibernox

Breaks with CSP enabled

Open dschmidt opened this issue 10 years ago • 7 comments
trafficstars

Hey,

I just installed this addon and it breaks with restrictive CSP enabled.

 Refused to load the stylesheet 'http://yui.yahooapis.com/3.9.1/build/cssgrids/cssgrids-min.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

xxx.html:1 Refused to load the script 'http://yui.yahooapis.com/combo?3.9.1/build/yui/yui-min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline'".

It would be great if you could serve those files directly instead of referring to some online resources.

Best regards, Dominik

dschmidt avatar Mar 03 '15 15:03 dschmidt

Although I'd prefer it that way, another approach would be to add http://yui.yahooapis.com to script-src, img-source and style-source.

dschmidt avatar Mar 03 '15 15:03 dschmidt

I'll investigate how hard is to serve a customized version of the assets. On Mar 3, 2015 3:13 PM, "Dominik Schmidt" [email protected] wrote:

Although I'd prefer it that way, another approach would be to add http://yui.yahooapis.com to script-src, img-source and style-source.

— Reply to this email directly or view it on GitHub https://github.com/cibernox/ember-cli-yuidoc/issues/14#issuecomment-76963424 .

cibernox avatar Mar 03 '15 15:03 cibernox

Did you close this accidentally with that commit? It seems github doesn't understand "would fix #14" correctly :-)

dschmidt avatar Jul 28 '15 10:07 dschmidt

I don't remember closing this, but honestly I may well have. Also I have to say that I've had little time to give love to this lately. I really need to allocate a sunday to make this up to date and fix All The Shit™

cibernox avatar Jul 28 '15 11:07 cibernox

Hehe, well, look at what github says: "cibernox closed this in a27f39f on 17 Mar" and read the commit message:

"TODO: Fix yuidoc itself. Having local assets would also fix #14"

That todo statement apparently closed this issue, if you don't mind I'll reopen.

dschmidt avatar Jul 28 '15 11:07 dschmidt

So this was github being oversmart. Good to know

cibernox avatar Jul 28 '15 11:07 cibernox

FWIW, I worked around this issue by using a different theme. Went for yuidoc-bootstrap-theme and added

    "themedir": "node_modules/yuidoc-bootstrap-theme",
    "helpers": ["node_modules/yuidoc-bootstrap-theme/helpers/helpers.js"]

to my yuidoc.json. Would be nice to have something like that out of the box, but this is a good work around - or at least documentation on that.

dschmidt avatar Oct 31 '15 02:10 dschmidt