Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

upgrade readme #106

Merged
merged 3 commits into from
Aug 8, 2019
Merged

upgrade readme #106

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
137c8a5
upgrade readme
jelhan Aug 6, 2019
f49ea7f
Update README.md
jelhan Aug 7, 2019
850981e
list allowed directive names
jelhan Aug 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 52 additions & 27 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,36 +23,61 @@ Installation
ember install ember-cli-content-security-policy
```

## Configuration
Configuration
------------------------------------------------------------------------------

This addon is configured via `config/content-security-policy.js` file.

- `delivery: string[]`
CSP is delivered via HTTP Header if delivery includes `"header"` and via meta element if it includes `"meta"`.
Defaults to `["header"]`.
- `enabled: boolean`
Controls if addon is enabled at all.
Defaults to `true`.
- `policy: object`
A hash of options representing a Content Security Policy.
Defaults to:
```js
{
'default-src': ["'none'"],
'script-src': ["'self'"],
'font-src': ["'self'"],
'connect-src': ["'self'"],
'img-src': ["'self'"],
'style-src': ["'self'"],
'media-src': ["'self'"],
}
```
To clear a directive from the default policy, set it to `null`.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the configuration is not merged anymore, there isn't any need to set a directive to null. Missed to delete that sentence in #101.

The browser will fallback to the `default-src` if a directive does not exist.
- `reportOnly: boolean`
Controls if CSP is used in report only mode. For delivery mode `"header"` this causes `Content-Security-Policy-Report-Only` HTTP header to be used.
Can not be used together with delivery mode `"meta"` as this is not supported by CSP spec.
Defaults to `true`.
```ts
interface EmberCLIContentSecurityPolicyConfig {
// CSP is delivered via HTTP Header if delivery includes `"header"` and via
// meta element if it includes `"meta"`.
delivery?: string,
jelhan marked this conversation as resolved.
Show resolved Hide resolved

// Controls if addon is enabled at all.
enabled?: boolean,

// A hash of options representing a Content Security Policy. The key must be
// a CSP directive name as defined by spec. The value must be an array of
// strings that form a CSP directive value, most likely a source list, e.g.
// {
// 'default-src': ["'none'"],
// 'style-src': ["'self'", 'examples.com']
// }
// Please refer to CSP specification for details on valid CSP directives:
// https://w3c.github.io/webappsec-csp/#framework-directives
policy?: { [key: string]: string[]; },
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May provide a list of allowed keys but that would quickly get outdated as new keys might be added by CSP3, which is still an editor's draft or even by other specs (§6.5 Directives Defined in Other Documents).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TS interfaces allow additional keys, so I think we can list the ones we expect at the moment (AFAIK new keys are still somewhat uncommon)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the directive names as a type referenced as key. I hope that was the correct way. It's a very long list. But it's maybe helpful to explicitly state that all directives are supported and not only that one used in default config.


// Controls if CSP is used in report only mode. For delivery mode `"header"`
// this causes `Content-Security-Policy-Report-Only` HTTP header to be used.
// Can not be used together with delivery mode `"meta"` as this is not
// supported by CSP spec.
reportOnly?: boolean,
}
```

If you omit some or all of the keys, the default configuration will be used, which is:

```js
// config/content-security-policy.js

export default function(environment) {
return {
delivery: ['header'],
enabled: true,
policy: {
'default-src': ["'none'"],
'script-src': ["'self'"],
'font-src': ["'self'"],
'connect-src': ["'self'"],
'img-src': ["'self'"],
'style-src': ["'self'"],
'media-src': ["'self'"],
},
reportOnly: true,
};
}
```

### Example

Expand Down