search

ember-cli / ember-cli-inject-live-reload

Ember CLI plugin that injects live-reload script into HTML content
MIT License
22 stars 54 forks source link

Content-Security-Policy Warnings #20

Open jamesarosen opened 9 years ago

jamesarosen commented 9 years ago

I'm running ember-cli in dev on a custom domain. My /etc/hosts looks like

127.0.0.1    my-app.dev.local

Then I access my Ember app at http://my-app.dev.local:4200. Ember works fine and LiveReload works fine. But in my console, I see

Content Security Policy violation:
{
  "csp-report": {
    "document-uri": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "referrer": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "violated-directive": "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729",
    "effective-directive": "script-src",
    "original-policy": "img-src 'self' https://secure.gravatar.com/; connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; default-src 'none'; script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729; font-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
    "blocked-uri": "http://my-app.dev.local:35729",
    "source-file": "http://my-app.dev.local:4200/canary/ember-cli-live-reload.js",
    "line-number": 6,
    "column-number": 43,
    "status-code": 200
  }
}

Content Security Policy violation:
{
  "csp-report": {
    "document-uri": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "referrer": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "violated-directive": "connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report",
    "effective-directive": "connect-src",
    "original-policy": "img-src 'self' https://secure.gravatar.com/; connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; default-src 'none'; script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729; font-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
    "blocked-uri": "ws://my-app.dev.local:35729",
    "source-file": "http://my-app.dev.local:35729",
    "line-number": 74,
    "column-number": 21,
    "status-code": 200
  }
}

The relevant portion of my config/environment.js looks like

contentSecurityPolicy: {
  'img-src': "'self' https://secure.gravatar.com/",
  'connect-src': "'self' http://app.dev.local"
},
jamesarosen commented 9 years ago

It's possible this issue belongs on https://github.com/rwjblue/ember-cli-content-security-policy -- specifically around https://github.com/rwjblue/ember-cli-content-security-policy/blob/bb9a5ce76fdb116806c209d192c8f08d384eeb24/index.js#L37-L42