Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add cspNonce option to add a nonce attribute to the <script> #47

Closed
wants to merge 2 commits into from
Closed

add cspNonce option to add a nonce attribute to the <script> #47

wants to merge 2 commits into from

Conversation

eturino
Copy link

@eturino eturino commented Mar 24, 2018

for CSP compliance options.

This will allow using strict CSP in development using script-dynamic and a nonce.

@eturino
Copy link
Author

eturino commented Apr 3, 2018

@rwjblue could you have a look, please? :)

rwjblue
rwjblue reviewed Apr 3, 2018
View reviewed changes
Copy link
Member

@rwjblue rwjblue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'm not sure about this. A nonce is supposed to be regenerated with each request but this implementation uses a single static nonce (AFAICT).

Wouldn't a hash be a better solution? I think we can easily compute the hash to include based on the content we actually send...

@sandstrom (sorry to pester), do you have thoughts on this?

@sandstrom
Copy link

sandstrom commented Apr 3, 2018
edited
Loading

@eturino @rwjblue I see two alternatives here:

  1. Solve this only for development. In that case, the solution could live here.
  2. Solve this in ember-cli-content-security-policy. In that case, we need to consider minification, which will alter the script.

I think the second alternative is much better! (but it's slightly more complicated)

More details here: rwjblue/ember-cli-content-security-policy#67

I also agree with @rwjblue that a static nonce is a bad idea. The standard is pretty clear on using a dynamic nonce (generated for each http request).

@eturino
Copy link
Author

eturino commented Apr 4, 2018
edited
Loading

I intended this only for development, to be honest. To be honest, I have no experience building addons, so I have no idea if we could make this environment dependent.

if (environment === 'development') { // is <-- possible?
  process.env.EMBER_CLI_INJECT_LIVE_RELOAD_CSP_NONCE = options.developmentCSPNonce;
}

@sandstrom
Copy link

sandstrom commented Apr 4, 2018
edited
Loading

For your own fork the code in this PR works well, so feel free to use it for local development!

However, due to the aforementioned reasons (my and rwjblues comments) I'm not sure it's a good idea to merge this PR in its current state, even if the code was restricted to development only (like you suggest).

@eturino
Copy link
Author

eturino commented Apr 4, 2018

fair enough :)

@eturino eturino closed this Apr 4, 2018
@sandstrom
Copy link

@eturino I still agree with you that CSP nonce support would be great (I want it myself), but I think it's better to make something that'll work for both production and development.

For that, rwjblue/ember-cli-content-security-policy#67 is probably a good way to start. If you want to dig in I'm happy to provide some pointers on where to start! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwjblue rwjblue rwjblue left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eturino @sandstrom @rwjblue