ember-cli-pace icon indicating copy to clipboard operation
ember-cli-pace copied to clipboard

Published 20 hours ago verified publisher icon vectart

Content security policy violation

Open musaffa opened this issue 9 years ago • 11 comments

This line requires inline script execution in production mode and shows error in the browser console. The error can be silenced by enabling 'unsafe-inline' to script-src in content security policy but this will make the whole application unsafe.

musaffa avatar Aug 06 '16 03:08 musaffa

@musaffa I've mostly turned off CSP in my Ember apps, but do you have a good suggestion for how to handle this?

joshsmith avatar Oct 03 '16 23:10 joshsmith

The addon may need a rewrite or nonce feature of CSP can be utilized to white list this specific script.

musaffa avatar Oct 04 '16 09:10 musaffa

@musaffa do you have any interest in doing a PR for either:

  • making this work with CSP?

or

  • adding some docs to the README for using nonce to whitelist?

joshsmith avatar Oct 05 '16 02:10 joshsmith

Sure. I will look into it.

musaffa avatar Oct 05 '16 07:10 musaffa

@JoshSmith The current implementation heavily relies on inline scripting as it returns a script tag using contentFor. Using nonce is a no-go, because nonce is a random number which should be inserted in script-src on every page request. The random number has to be different on every page request. A relatively simpler option is to include SHA hash of the script itself in the script-src but it is still very complicated.

I've ended up with a much simpler manual implementation:

// application/route.js

actions: {
  loading(transition) {
    this._super(...arguments);

    Pace.start();

    transition.promise.finally(function() {
      Pace.stop();
    });
  }
}

I've then imported pace.js in ember-cli-build.js and a pace theme in the stylesheet.

Configuration options can also be inserted into Pace like Pace.start(customConfig). Going this way may need a major rewrite of the addon.

musaffa avatar Nov 03 '16 16:11 musaffa

Is there really no way in CSPs to be able to specify a particular inline script being injected like this one?

I unfortunately do not have time personally right now to put forth such a massive rewrite (and others probably would want something to say about that), but I'd be happy to see a PR if you wanted to attempt a major version bump branch.

joshsmith avatar Nov 03 '16 19:11 joshsmith

Nonce and SHA hash are ways to do this job. But their implementations can be a bit difficult.

My custom implementation is way simpler and does the job that I need. I will need to see if the code can be extracted for the addon.

musaffa avatar Nov 03 '16 20:11 musaffa

@musaffa you're a 🍑 ! Thanks for looking into it.

joshsmith avatar Nov 03 '16 22:11 joshsmith

@musaffa Thanks a lot dude, you saved my day

SamiSammour avatar Nov 24 '16 11:11 SamiSammour

@musaffa any luck on being able to extract out for the addon?

joshsmith avatar Nov 24 '16 18:11 joshsmith

@JoshSmith Not yet.

musaffa avatar Nov 28 '16 00:11 musaffa