search

adopted-ember-addons / ember-cli-content-security-policy

MIT License
158 stars 51 forks source link

hashed unsafe-inline support? #67

Open jamesarosen opened 8 years ago

jamesarosen commented 8 years ago

unsafe-inline isn't sufficient to allow <script>...</script> on the page. CSP 2 requires those tags to have a hash of their contents. See https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

Is there a way for this library to automatically calculate the hashes? Or should addons that use contentFor do the hashing and add the results to config.contentSecurityPolicy['script-src']? If the latter, could this addon expose an API to make that easier?

See also pgrippi/ember-cli-google-analytics#21

sandstrom commented 8 years ago

Thanks for bringing this up James!

At the moment no, but I agree that it would be a good addition.

For hashes we'd need to have this addon run after minification. Do you know if ember-cli has support for specifying the order of addons?

I don't know much about addon <-> addon communication, but unless there is a way of specifying the order it would be better if this addon had an API for setting the hash.

Nonces (https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-nonce-usage) would be easier to implement, but won't work since they must be randomly generated for each request (ember is often hosted statically).

jelhan commented 5 years ago

This is also a requirement for ember-style-modifier to support SSR/Fastboot: https://github.com/jelhan/ember-style-modifier/issues/11 Please especially note the design outlined in https://github.com/jelhan/ember-style-modifier/issues/11#issuecomment-499795602. I'm planing to implement that feature soon.

GCheung55 commented 4 years ago

Any update on this issue? It would be really helpful to have a way to add hashes to the configuration at build time.

jelhan commented 4 years ago

It's still a work in progress. But slow progress to be honest. v2 should lay the foundation for this feature. I hope that implementation is straight forward afterwards. But I don't have much time to work on this addon currently. So it will take some time.

I would appreciate any help. If you have some time to help implementing this feature or the missing pieces to get v2 stable, please reach out to me on Discord to coordinate.