Skip to content

Content-Security-Policy Warnings #20

Open
Open
Content-Security-Policy Warnings#20
@jamesarosen

Description

@jamesarosen
jamesarosen
opened on Apr 27, 2015

I'm running ember-cli in dev on a custom domain. My /etc/hosts looks like

127.0.0.1    my-app.dev.local

Then I access my Ember app at http://my-app.dev.local:4200. Ember works fine and LiveReload works fine. But in my console, I see

Content Security Policy violation:
{
  "csp-report": {
    "document-uri": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "referrer": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "violated-directive": "script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729",
    "effective-directive": "script-src",
    "original-policy": "img-src 'self' https://secure.gravatar.com/; connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; default-src 'none'; script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729; font-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
    "blocked-uri": "http://my-app.dev.local:35729",
    "source-file": "http://my-app.dev.local:4200/canary/ember-cli-live-reload.js",
    "line-number": 6,
    "column-number": 43,
    "status-code": 200
  }
}

Content Security Policy violation:
{
  "csp-report": {
    "document-uri": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "referrer": "http://my-app.dev.local:4200/canary/authentication/sign-in",
    "violated-directive": "connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report",
    "effective-directive": "connect-src",
    "original-policy": "img-src 'self' https://secure.gravatar.com/; connect-src 'self' http://app.dev.local ws://localhost:35729 ws://0.0.0.0:35729 http://0.0.0.0:4200/csp-report; default-src 'none'; script-src 'self' 'unsafe-eval' localhost:35729 0.0.0.0:35729; font-src 'self'; style-src 'self'; media-src 'self'; report-uri http://0.0.0.0:4200/csp-report;",
    "blocked-uri": "ws://my-app.dev.local:35729",
    "source-file": "http://my-app.dev.local:35729",
    "line-number": 74,
    "column-number": 21,
    "status-code": 200
  }
}

The relevant portion of my config/environment.js looks like

contentSecurityPolicy: {
  'img-src': "'self' https://secure.gravatar.com/",
  'connect-src': "'self' http://app.dev.local"
},

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions