From 137c8a56cba077ca62f6a8d90d540963eb2722c1 Mon Sep 17 00:00:00 2001 From: Jeldrik Hanschke Date: Tue, 6 Aug 2019 22:33:51 +0200 Subject: [PATCH 1/3] upgrade readme --- README.md | 79 ++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 52 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index fa6d7b8..6d05789 100644 --- a/README.md +++ b/README.md @@ -23,36 +23,61 @@ Installation ember install ember-cli-content-security-policy ``` -## Configuration +Configuration +------------------------------------------------------------------------------ This addon is configured via `config/content-security-policy.js` file. -- `delivery: string[]` - CSP is delivered via HTTP Header if delivery includes `"header"` and via meta element if it includes `"meta"`. - Defaults to `["header"]`. -- `enabled: boolean` - Controls if addon is enabled at all. - Defaults to `true`. -- `policy: object` - A hash of options representing a Content Security Policy. - Defaults to: - ```js - { - 'default-src': ["'none'"], - 'script-src': ["'self'"], - 'font-src': ["'self'"], - 'connect-src': ["'self'"], - 'img-src': ["'self'"], - 'style-src': ["'self'"], - 'media-src': ["'self'"], - } - ``` - To clear a directive from the default policy, set it to `null`. - The browser will fallback to the `default-src` if a directive does not exist. -- `reportOnly: boolean` - Controls if CSP is used in report only mode. For delivery mode `"header"` this causes `Content-Security-Policy-Report-Only` HTTP header to be used. - Can not be used together with delivery mode `"meta"` as this is not supported by CSP spec. - Defaults to `true`. +```ts +interface EmberCLIContentSecurityPolicyConfig { + // CSP is delivered via HTTP Header if delivery includes `"header"` and via + // meta element if it includes `"meta"`. + delivery?: string, + + // Controls if addon is enabled at all. + enabled?: boolean, + + // A hash of options representing a Content Security Policy. The key must be + // a CSP directive name as defined by spec. The value must be an array of + // strings that form a CSP directive value, most likely a source list, e.g. + // { + // 'default-src': ["'none'"], + // 'style-src': ["'self'", 'examples.com'] + // } + // Please refer to CSP specification for details on valid CSP directives: + // https://w3c.github.io/webappsec-csp/#framework-directives + policy?: { [key: string]: string[]; }, + + // Controls if CSP is used in report only mode. For delivery mode `"header"` + // this causes `Content-Security-Policy-Report-Only` HTTP header to be used. + // Can not be used together with delivery mode `"meta"` as this is not + // supported by CSP spec. + reportOnly?: boolean, +} +``` + +If you omit some or all of the keys, the default configuration will be used, which is: + +```js +// config/content-security-policy.js + +export default function(environment) { + return { + delivery: ['header'], + enabled: true, + policy: { + 'default-src': ["'none'"], + 'script-src': ["'self'"], + 'font-src': ["'self'"], + 'connect-src': ["'self'"], + 'img-src': ["'self'"], + 'style-src': ["'self'"], + 'media-src': ["'self'"], + }, + reportOnly: true, + }; +} +``` ### Example From f49ea7f36e7b46648c853af2633c5c3d4249617a Mon Sep 17 00:00:00 2001 From: Jeldrik Hanschke Date: Wed, 7 Aug 2019 12:17:22 +0200 Subject: [PATCH 2/3] Update README.md Co-Authored-By: Robert Jackson --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d05789..94afb10 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ This addon is configured via `config/content-security-policy.js` file. interface EmberCLIContentSecurityPolicyConfig { // CSP is delivered via HTTP Header if delivery includes `"header"` and via // meta element if it includes `"meta"`. - delivery?: string, + delivery?: 'meta' | 'header', // Controls if addon is enabled at all. enabled?: boolean, From 850981ef687e77297731fa03efca7441b57c550c Mon Sep 17 00:00:00 2001 From: Jeldrik Hanschke Date: Wed, 7 Aug 2019 12:34:35 +0200 Subject: [PATCH 3/3] list allowed directive names --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 94afb10..dc9c465 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,22 @@ Configuration This addon is configured via `config/content-security-policy.js` file. ```ts +type directiveName = + // Fetch Directives + 'child-src' | 'connect-src' | 'default-src' | 'font-src' | 'frame-src' | 'image-src' | 'manifest-src' | 'media-src' | 'object-src' | 'prefetch-src' | 'script-src' | 'script-src-elem' | 'script-src-attr' | 'style-src' | 'style-src-elem' | 'style-src-attr' | 'worker-src' | + // Document Directives + 'base-uri' | 'plugin-types' | 'sandbox' | + // Navigation Directives + 'form-action' | 'form-ancestors' | 'navigate-to' | + // Reporting Directives + 'report-uri' | 'report-uri' | 'report-to' | + // Directives Defined in Other Documents + 'block-all-mixed-content' | 'upgrade-insecure-requests' | 'require-sri-for'; + interface EmberCLIContentSecurityPolicyConfig { // CSP is delivered via HTTP Header if delivery includes `"header"` and via // meta element if it includes `"meta"`. - delivery?: 'meta' | 'header', + delivery?: string, // Controls if addon is enabled at all. enabled?: boolean, @@ -46,7 +58,7 @@ interface EmberCLIContentSecurityPolicyConfig { // } // Please refer to CSP specification for details on valid CSP directives: // https://w3c.github.io/webappsec-csp/#framework-directives - policy?: { [key: string]: string[]; }, + policy?: { [key: directiveName]: string[]; }, // Controls if CSP is used in report only mode. For delivery mode `"header"` // this causes `Content-Security-Policy-Report-Only` HTTP header to be used.